Jump to content

Windows DNS Servers effected by a critical 17 year vulnerability.

 

----------------------------------------------

Summary

Wired published an article regarding the critical Windows DNS Server vulnerability that has been discovered by the Israeli security firm Check Point. Named "SigRed", and it is "worm-able". This bug goes back as far as 17 years since Server 2003 editions.

 

Quotes

Quote

"Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry-standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization."

 

"Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)"

 

My thoughts

In theory, domain joined machines could pass the DNS request up to the Domain Controller via a URL in a phishing e-mail. Also, an infected ad server could rotate into view which will cause the browser host name resolution. Again, this goes up the chain to the Domain Controller which often runs the DNS Server service prior to acting as a DNS forwarder out to the internet.

 

Super-critical that all DNS servers get patches ASAP! At the least, you can follow Microsoft's work-around advice on performing a registry entry and restarting just the service. Links below.

 

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

https://nvd.nist.gov/vuln/detail/CVE-2020-1350

 

Sources

 

https://www.wired.com/story/sigred-windows-dns-flas-wormable/

 

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Edited by StDragon
Addition link to KB patch availability per Server edition
Link to comment
Share on other sites

Link to post
Share on other sites

...so a buffer overflow issue by the looks of things (given restricting the size to below the max seems to fix the issue).

 

Glad I am not responsible for the patching, I am sure there will be many organizations that don't have proper deployment cadences of patches and they could be sitting ducks in terms of being vulnerable.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

Ow wow bandaid that. 

| Ryzen 7 7800X3D | AM5 B650 Aorus Elite AX | G.Skill Trident Z5 Neo RGB DDR5 32GB 6000MHz C30 | Sapphire PULSE Radeon RX 7900 XTX | Samsung 990 PRO 1TB with heatsink | Arctic Liquid Freezer II 360 | Seasonic Focus GX-850 | Lian Li Lanccool III | Mousepad: Skypad 3.0 XL / Zowie GTF-X | Mouse: Zowie S1-C | Keyboard: Corsair K63 Cherry MX red | Beyerdynamic MMX 300 (2nd Gen) | Acer XV272U | OS: Windows 11 |

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, wanderingfool2 said:

...so a buffer overflow issue by the looks of things (given restricting the size to below the max seems to fix the issue).

 

Glad I am not responsible for the patching, I am sure there will be many organizations that don't have proper deployment cadences of patches and they could be sitting ducks in terms of being vulnerable.

Yeah, this could be Wannacry all over again. Municipalities and Health industry could be hit hard by this. Nation-states could be looking into weaponizing it too.

Patch it!

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, StDragon said:

Yeah, this could be Wannacry all over again. Municipalities and Health industry could be hit hard by this.

And it's a pretty bad time to get hit right now.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, StDragon said:

In theory, domain joined machines could pass the DNS request up to the Domain Controller via a URL in a phishing e-mail. Also, an infected ad server could rotate into view which will cause the browser host name resolution. Again, this goes up the chain to the Domain Controller which often runs the DNS Server service prior to acting as a DNS forwarder out to the internet.

Being domain joined is not a requirement. The Windows DNS service is just a DNS server like any other one so you can run it without any Active Directory integration at all. Also Windows DNS server can be queried like any other DNS server. It's just that it's really common to co-host the DNS and AD role together on the same server in smaller networks, DHCP as well.

 

What makes it easily wormable is the fact it's DNS so has to be exposed to at a minimum local network and that due to it being DNS means you can also find out the names of other DNS namespace hosts and with the remote code execution this gives you can infect all the other DNS servers. You'll also likely have firewall rules that allow DNS between other DNS servers sometimes across security zones, usually from a more secure network to less i.e. DNS forwarding so if you did it properly it'll only be one way making it less likely the less secure DNS server can worm to the secure one.

 

The other problem is that again because this is DNS you can find out what the hostnames of the AD servers are and if they are the same as the DNS servers then you know you have remote code execution on a DC and with that you can use known exploits to compromise user accounts and passwords.

 

If you are co-hosting AD and DNS this is about as worst case as I can think of. For some context WannaCry is 9.3 for CVSS 2.0 and Conflicker is 10.0, CVSS 3.0 for WannaCry is 8.1. This one is provisional 10.0 CVSS 3.0 but I expect it to come out lower than that, but still very high.

 

Spoiler

MS sent out notice of this almost exactly 44 hours before this post

 

image.thumb.png.c825c2f7bcf4975ef8acd70a070aef83.png

 

Just enough time to panic and do something about it lol

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, leadeater said:

Being domain joined is not a requirement. The Windows DNS service is just a DNS server like any other one so you can run it without any Active Directory integration at all. Also Windows DNS server can be queried like any other DNS server. It's just that it's really common to co-host the DNS and AD role together on the same server in smaller networks, DHCP as well.

  Reveal hidden contents

MS sent out notice of this almost exactly 44 hours before this post

 

image.thumb.png.c825c2f7bcf4975ef8acd70a070aef83.png

 

Just enough time to panic and do something about it lol

 

Exactly. But when in doubt, error on the side of caution and patch AD servers regardless. IT departments and Sr Network staff will know which course of action is best.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, StDragon said:

Exactly. But when in doubt, error on the side of caution and patch AD servers regardless. IT departments and Sr Network staff will know which course of action is best.

True, my point was more that this can be exploited by any computer, domain joined or not. It's worse if you co-host but any computer that can send a DNS query to a Microsoft DNS server can exploit it e.g. BYOD laptop on untrusted wireless.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, leadeater said:

True, my point was more that this can be exploited by any computer, domain joined or not. It's worse if you co-host but any computer that can send a DNS query to a Microsoft DNS server can exploit it e.g. BYOD laptop on untrusted wireless.

Depending how it works, my thought would be that an attack vector might be as easy as a link in a website (not even one the user clicks) just because of DNS prefetching.   (IF, and big if, it's exploitable through a web browser link then it might be as simple as it being posted in something like a comment and the user just visiting the webpage and having the browser prefetch it from the DNS)

 

We shall see, this is sort of a scary vulnerability though (even if it turns out to not be possible through a link)

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, wanderingfool2 said:

Depending how it works, my thought would be that an attack vector might be as easy as a link in a website (not even one the user clicks) just because of DNS prefetching.   (IF, and big if, it's exploitable through a web browser link then it might be as simple as it being posted in something like a comment and the user just visiting the webpage and having the browser prefetch it from the DNS)

 

We shall see, this is sort of a scary vulnerability though (even if it turns out to not be possible through a link)

It requires specially crafted packets which I believe browser sandboxing/security would stop so that a site's javascript couldn't directly interact with your network. I'm not too familiar with websockets and whether you'd be able to do this using them.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to comment
Share on other sites

Link to post
Share on other sites

Well that sucks, guess I need to fix and patch up my servers...

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

41 minutes ago, wanderingfool2 said:

Depending how it works, my thought would be that an attack vector might be as easy as a link in a website (not even one the user clicks) just because of DNS prefetching.   (IF, and big if, it's exploitable through a web browser link then it might be as simple as it being posted in something like a comment and the user just visiting the webpage and having the browser prefetch it from the DNS)

 

We shall see, this is sort of a scary vulnerability though (even if it turns out to not be possible through a link)

It would most likely have to be a malicious ad if you aren't relying on a user clicking a link, mainly because it's a little bit more than just simply sending a crafted DNS query to actually exploit the system and a link on a page wouldn't create the crafted query. But yea the possible ways is something like a near endless list.

 

Other thing of note is CVSS is not actually a threat scoring system, it's an industry standard for assessing the severity of a vulnerability. It doesn't make any assessment of what can be done with the vulnerability beyond the vulnerability itself. What that means is two vulnerabilities with the same/similar CVSS scores can be of significantly different threats to wider network security.

 

Once there is a known exploit it's around the same threat level as Conflicker, which was worse than WannaCry but luckily the creators of Conflicker didn't actually do anything with the compromised systems. Conflicker managed to infect 1.7 million computers where as WannaCry was only 200 thousand, only difference is WannaCry actually did something so we are all extremely extremely lucky the Conflicker creators didn't actually weaponize what they had.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, leadeater said:

If you are co-hosting AD and DNS this is about as worst case as I can think of.

*whew* Good, I'm in the bast case then. I host neither on mine (WS2016). :P

Link to comment
Share on other sites

Link to post
Share on other sites

Anyone know which patch (KB#) actually fixes this? The article (and Microsofts workaround) both say an update resolves the issue, but I can't find out which update fixes the issue.

 

I'm deploying the workaround to my work servers.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, dalekphalm said:

Anyone know which patch (KB#) actually fixes this? The article (and Microsofts workaround) both say an update resolves the issue, but I can't find out which update fixes the issue.

 

I'm deploying the workaround to my work servers.

The current monthly security update, it's patch Tuesday week and this announcement was given along with the release of this months patches which include the fix for it. You only need the workaround if you cannot patch.

 

Edit:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

Patch links on this page

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, dalekphalm said:

Anyone know which patch (KB#) actually fixes this? The article (and Microsofts workaround) both say an update resolves the issue, but I can't find out which update fixes the issue.

 

I'm deploying the workaround to my work servers.

Here is the list of all of them

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to comment
Share on other sites

Link to post
Share on other sites

22 minutes ago, leadeater said:

The current monthly security update, it's patch Tuesday week and this announcement was given along with the release of this months patches which include the fix for it. You only need the workaround if you cannot patch.

 

Edit:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

Patch links on this page

Okay good. I implemented the workaround on all my servers. I'm going to patch them anyway but I wanted to close the vulnerability while I wait for the updates. My primary DC/DNS Servers (I have 2 of them) cannot be rebooted during operating hours, so I want them protected in the mean time. Our secondary DC/DNS servers will be patched and rebooted right away.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

18 minutes ago, dalekphalm said:

Okay good. I implemented the workaround on all my servers. I'm going to patch them anyway but I wanted to close the vulnerability while I wait for the updates. My primary DC/DNS Servers (I have 2 of them) cannot be rebooted during operating hours, so I want them protected in the mean time. Our secondary DC/DNS servers will be patched and rebooted right away.

Yup, that's the way to handle it. Just remember to restart the DNS services too.

 

FYI - Just remember to remove the registry entry after a reboot. While it won't harm anything, that mitigation method is not officially supported to remain there permanently. The patch handles the vulnerability at a different level.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, StDragon said:

Yup, that's the way to handle it. Just remember to restart the DNS services too.

Yep that's in the workaround instructions.

1 minute ago, StDragon said:

FYI - Just remember to remove the registry entry after a reboot. While it won't harm anything, that mitigation method is not officially supported to remain there permanently. The patch handles the vulnerability at a different level.

Not a massive priority to me, but if I remember to, I'll remove the entries after they're patched.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, leadeater said:

It would most likely have to be a malicious ad if you aren't relying on a user clicking a link, mainly because it's a little bit more than just simply sending a crafted DNS query to actually exploit the system and a link on a page wouldn't create the crafted query. But yea the possible ways is something like a near endless list.

Yea, you're right.  I got around to finally reading the disclosure post by check point, it was an interesting read.  It can be exploited via old Edge and IE by going to the correct website.  Still, it's quite the exploit and always worrying that it's been in existence for 17 years (even though it wasn't in the wild, always makes you wonder if Nation States knew about this and did targeted hacks)

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

As far as I can tell, a normal home system will not default to running the affected service and thus would not be directly vulnerable (though that's to say nothing of the possibility that another system on your network does become compromised and serves as another way to propagate).  Is this correct?  For the sake of "normal users", I just want to get extra clarification on that.

Edited by Ryan_Vickers
reworded to not be terrible

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Ryan_Vickers said:

As far as I can tell, a normal home system will not default to running the affected service and thus would not be directly vulnerable (though that's to say nothing of the possibility that another system on your network does become compromised and serves as another way to propagate).  Is this correct?  For the sake of "normal users", I just want to get extra clarification on that.

Unless you are hosting your own DNS server at home, with MS Server (and specifically MS's DNS service) your computers won't be affected.

 

The only case where it would spill over to normal users (that I could think of at the moment) would be if your ISP used MS's DNS to do the resolving for clients...but even if they did, it likely would be patched.  (And it would only affect you in the sense they could redirect traffic and doing like a MITM attack) [But I think that is very unlikely given the current state of this vulnerability]

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, wanderingfool2 said:

The only case where it would spill over to normal users (that I could think of at the moment) would be if your ISP used MS's DNS to do the resolving for clients...but even if they did, it likely would be patched.

FYI, BIND on Unix is what runs the majority of DNS for the Internet.

 

I've never heard of an ISP hosting DNS from Windows. 

Link to comment
Share on other sites

Link to post
Share on other sites

So I guess we can expect Server 2003 to get a patch in the near future.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, StDragon said:

FYI, BIND on Unix is what runs the majority of DNS for the Internet.

 

I've never heard of an ISP hosting DNS from Windows. 

I thought this security issue was predominately about corporate servers not ISP's.

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×