Jump to content
Karlston

Hack Brief: Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug

Recommended Posts

Karlston

Hack Brief: Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug

The SigRed vulnerability exists in Windows DNS, used by practically every small and medium-sized organization in the world.
Microsoft storefront
Photograph: JEENAH MOON/New York Times/Redux
 

Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially "wormable" vulnerability—meaning an attack can spread from one machine to another with no human interaction—has appeared in Microsoft's implementation of the domain name system protocol, one of the fundamental building blocks of the internet.

 

As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years.

 

Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry-standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.

 

On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you’re inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It’s basically game over."

 
The Hack

 

Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)

 

For the remote, no-interaction version of the attack that Check Point's Herscovici describes, the target DNS server would have to be exposed directly to the internet, which is rare in most networks; administrators generally run Windows DNS on servers that they keep behind a firewall. But Herscovici points out that if a hacker can get access to the local network by accessing the corporate Wi-Fi or plugging a computer into the corporate LAN, they can trigger the same DNS server takeover. And it may also be possible to exploit the vulnerability with just a link in a phishing email: Trick a target into clicking that link and their browser will initiate the same key exchange on the DNS server that gives the hacker full control of it.

 

Check Point only demonstrated that it could crash a target DNS server with that phishing trick, not hijack it. But Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it's likely that the phishing trick could be finessed to allow a full takeover of the target DNS server in the vast majority of networks that don't block outbound traffic on their firewalls. "With some careful crafting, you could probably target DNS servers that are behind a firewall," Williams says.

 
Who's Affected?

 

While many large organizations use the BIND implementation of DNS that runs on Linux servers, smaller organizations commonly run Windows DNS, says Williams, so thousands of IT administrators will likely need to rush to patch the SigRed bug. And because the SigRed vulnerability has existed in Windows DNS since 2003, practically every version of the software has been vulnerable.

 

While those organizations rarely expose their Windows DNS servers to the internet, both Check Point and Williams warn that many administrators have made architectural changes to networks—often questionable ones—to better allow employees to work from home since the beginning of the Covid-19 pandemic. That could mean more exposed Windows DNS servers that are open to full remote exploitation. "The threat landscape of internet-exposed things has risen dramatically" in recent months, Williams says.

 

The good news, Check Point says, is that detecting SigRed exploitation of a Windows DNS server is relatively easy, given the noisy communications necessary to trigger the vulnerability. The firm says that despite the 17 years that SigRed has lingered in Windows DNS, it has yet to find any indication of an attack on its clients' networks so far. "We're not aware of anyone using this, but if they did, hopefully now it will stop," Herscovici says. But in the short term at least, Microsoft's patch could also lead to more exploitation of the bug as hackers reverse engineer the patch to discover exactly how the vulnerability can be triggered.

 
How Serious Is This?

 

Check Point's Herscovici argues that the SigRed bug should be taken as seriously as the flaws exploited by older Windows hacking techniques like EternalBlue and BlueKeep. Both of those Windows exploitation methods raised alarms because of their potential to spread from machine to machine over the internet. While BlueKeep never resulted in a worm or any mass hacking incidents beyond some cryptocurrency mining, EternalBlue was integrated into both the WannaCry and NotPetya worms that rampaged across global networks in the spring and summer of 2017, becoming the two most damaging computer worms in history. "I would compare this to BlueKeep or EternalBlue," says Herscovici. "If this vulnerability were to be exploited, we might get a new WannaCry."

 

But Rendition Infosec's Williams argues that the SigRed bug is more likely to be exploited in targeted attacks. Most SigRed techniques likely won't be very reliable, given that a Windows mitigation called "control flow guard" may sometimes cause machines to crash rather than being hijacked, Williams says. And fully exposed Windows DNS servers are relatively rare, so the population of machines vulnerable to a worm isn't comparable to BlueKeep or EternalBlue. The phishing technique to exploit SigRed doesn't lend itself to a worm nearly as well, since it would require users to click a link.

 

SigRed could, however, serve as a powerful tool for more discriminating hackers. And that means Windows administrators should rush to patch it immediately. "Technically, it's wormable, but I don't think there will be a worm based on the mechanics of this," Williams says. "But there's no question in my mind that well-funded adversaries will make an exploit for it."

 

 

Hack Brief: Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug

 

ThanksForReading200x49.jpg

Share this post


Link to post
Share on other sites
Karlston

FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective

You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020-1350, also known as SIGRed:

 

Q: Do I need to be worried about it?

 

A: Unless you’re in charge of a Windows DNS Server, no.

 

Q: How do I know if I’m in charge of a Windows DNS Server?

 

A: If you had to ask the question, you aren’t.

 

Q: If I am in charge of a Windows DNS Server, should I be concerned?

 

A: Yes. You need to get the latest Server cumulative update installed.

 

Q: What if all of my Windows DNS Servers are internal only?

 

A: You need to get patched anyway. It’s likely easier to exploit the hole on a publicly-facing Windows DNS Server, but internal servers aren’t immune. Marcus Hutchins says:

Can affect Windows Servers that expose DNS externally, or can be triggered by getting a user to visit a malicious website using IE or pre-Chromium Edge… While technically wormable, it seems unlikely. A more likely scenario would be ransomware actors using it to gain a access to the Domain Controller, then pushing ransomware to all network clients.

Q: Is it really that serious?

 

A: Yep, it’s a significant security hole that’s been around for at least 17 years. Several people have remarked that variations on the exploit have existed for a decade. Good advice from @SwiftOnSecurity:

Microsoft has issued an unusual private push alert to Premier customers under NDA about CVE-2020-1350. Patch or apply workaround now. Note workaround requires DNS service restart do not just hand this to admins. I do NOT trust the registry key workaround. Its effect is not auditable and provable. Apply the patch. Something this big with no signs of current exploit means Microsoft went through in-depth testing to prove it out before telling the world. Apply patch and validate and deploy it now.

Q: Should we bend over and kiss our cumulative keesters goodbye?

 

A. Depends on your keester, I guess. We’ll see an active exploit soon, but not right away. Per Kevin Beaumont:

I don’t expect a quick turnaround to RCE in public, the discoverers didn’t reach it, it requires time and skill… after every big RCE vulnerability announcement, Twitter becomes ‘this would take 5 minutes to write an exploit for!’ Then rarely anybody writes a public RCE exploit quickly, unless it’s a GET web request. If there’s some degree of skill required, a barrier.

For 99.9% of you, there’s nothing to be concerned about. For the other 0.1%, it’s showtime.

 

There’s a technical description from Sagi Tzadik on the Check Point Research web site.

 

 

FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective

 

ThanksForReading200x49.jpg

Share this post


Link to post
Share on other sites
Edion Gecos
On 7/15/2020 at 5:48 AM, Karlston said:

Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.

 

On 7/15/2020 at 5:48 AM, Karlston said:

Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it's likely that the phishing trick could be finessed to allow a full takeover of the target DNS server in the vast majority of networks that don't block outbound traffic on their firewalls. "With some careful crafting, you could probably target DNS servers that are behind a firewall," Williams says.

 

On 7/15/2020 at 5:48 AM, Karlston said:

Williams says. "But there's no question in my mind that well-funded adversaries will make an exploit for it."

... I mean (cough, cough) have been making for years now ( cough)... !

 

Is this really a bug... or maybe rather a feature that allows certain three-letter-agencies to "prevent" crime and worldwide terrorism? :whistle:

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...