Check Point’s security researchers have disclosed a 17-year-old “wormable” security flaw dubbed SigRed carrying a 10 out of 10 security score on the CVSS scale.
The remote code execution flaw classified as CVE-2020-1350, allows an unauthorized remote attacker to obtain domain admin privileges on selected servers and get full control of the IT infrastructure of an organization. This highly critical security flaw affects versions 2003 to 2019 of Windows Servers.
To exploit this vulnerability, a remote attacker has to send malicious DNS queries to a Windows DNS server for achieving arbitrary code execution. Once this is done, the hacker can easily intercept and manipulate network traffic and users’ emails on targeted servers. Additionally, the hacker can render key services unavailable and hijack user credentials.
According to Check Point researcher Sagi Tzadik, the wormable nature of this flaw lets attackers launch attacks that can automatically spread from one vulnerable device to another without needing any human interaction or supervision.
The vulnerability is caused by a flaw in the way Windows DNS server handles the SIG (signature) record queries. Attackers send a malicious Sig record over 64kb in size to cause a massive buffer overflow and execute code with admin rights remotely.
Admins are urged to quickly update their devices with a workaround or patch from Microsoft to mitigate the threat because researchers believe that the vulnerability is relatively easy to exploit. Any “determined hacker” can incorporate it in self-propagating “worms” that can spread on their own.
“Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially domain controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,” wrote Check Point researchers in a blog post.
They further claim that the threat is equally easy to mitigate. Microsoft on the other hand has also issued guidelines for changing the Registry system configuration database in their Windows systems to limit the largest size allows for incoming TCP-based DNS response packets.
However, most importantly, admins need to install security updates at the earliest opportunity, because a single exploit can pave the way for a chain reaction allowing attackers to claim multiple devices.