Attackers often abuse Windows DNS servers to gain access to targeted networks. The recent discovery of SIGRed, a critical, wormable remote code execution (RCE) vulnerability in the Windows DNS server can probably prove to be a jackpot for threat actors.
This is not just another vulnerability
Check Point security researcher Sagi Tzaik found the vulnerability (CVE-2020-1350) that existed in the operating system's code for 17 years. The successful exploitation of such a vulnerability could have a severe impact.
- Microsoft has warned that the vulnerability (CVSS base score of 10.0) could allow an attacker to craft malicious DNS queries for Windows DNS servers (versions from 2003 to 2019), and achieve arbitrary code execution that could lead to the breach of an organizations’ entire infrastructure.
- When triggered by a malicious DNS query, the vulnerability leads to a heap-based buffer overflow, allowing the attacker to take control of the server and making it possible for them to obstruct and manipulate users' emails and network traffic, make services unaccessible, and steal users' sensitive data.
- If compromised, the attacker is also granted Domain Administrator rights. In limited scenarios, the vulnerability can be triggered remotely through browser sessions in Internet Explorer and Microsoft Edge (non-Chromium based).
Other DNS server threats
DNS has become an increasingly attractive attack vector for cybercriminals who are using DNS-based techniques to infiltrate end-users and corporate networks.
- In June 2020, a Windows Point-of-Sale (POS) malware dubbed Alina was seen using the DNS protocol to smuggle stolen credit cards to a remote server under the attacker's control.
- In April 2020, hackers gained access to Linksys Smart Wi-Fi accounts, after which they changed home routers' DNS server settings and redirected users to a COVID19-themed malicious app.
Microsoft has released a patch for the CVE-2020-1350 vulnerability in Windows DNS Server. Microsoft also offered an alternative registry-based workaround.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued an Emergency Directive, ordering the “Federal Civilian Executive Branch” to apply the patch for this vulnerability by July 17, 2020, 2:00 p.m. ET.