17 year old highly critical bug in Windows DNS

11. August, 2020

As CPU manufacturers already had to suffer in 2018, previous design decisions can have fatal consequences. Recently, a faulty program part for Windows servers was detected, which had been “hidden” for a long time in the constantly evolving systems. The result is a massive security problem.

It is remarkable that for IT terms it is almost an eternal story: The origin of the code could be traced back for 17 years and has now caught up with the manufacturer Microsoft. The error detected by Checkpoint in the Windows Server system code receives the highest CVSS score of 10.0. [1]

Highly critical error with self-propagation capability

Both the probability of exploitation and the possible damage effects received the highest ratings. The faulty routine has existed for many years and can be exploited and spread over the network: The bug is “wormable”. The bug is resident in the DNS subsystem – the domain name system – and can therefore jump from one server to another. DNS is not only an essential part of the TCP/IP protocol and necessary for any communication, but is also required between Windows clients and server. The service therefore cannot simply be restricted or deactivated.

An infection can spread over an extensive network without any interaction and is therefore highly critical. With the patch Tuesday on July 14, an update was delivered – together with 122 other bug fixes. It is therefore important to update all systems as soon as possible. Nearly all current versions of Windows Server from 2003 to 2019 are affected. [2]

SIGRed: Error in Microsoft’s DNS system

The error relates to an outdated routine that provides DNS response handling for the Windows DNS server. The affected message type is “SIG query” and a method to verify the authenticity of DNS replies that is no longer used. If a response larger than 64kB with this type is returned to a server, arbitrary code can be executed on the system. Since the DNS service typically runs only on important components with the highest privileges, highly critical worst-case scenarios are conceivable. For the fastest response, Microsoft has published a workaround guide that provisionally limits the size of DNS responses received.[3]

Software and hardware will always be affected by errors

As security researchers found out, only the code part for Windows servers is vulnerable, but not the routines of Windows clients. This suggests that the vendor maintains two separate branches for client and server and does not exchange fixes sufficiently. The researchers withheld publication of the findings gained in May until Microsoft was able to distribute a software update in July.
SIGRed shows once again that previously unknown errors in software and hardware must always be expected. Comprehensive planning and preparation for errors is therefore an essential part of IT security management.

[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

[2] https://www.zdnet.com/article/critical-sigred-vulnerability-impacts-microsoft-windows-dns-2003-2019-patch-now/

[3] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Defense in Depth
Qlocker 01

Ransomware Qlocker: How to restore your data (for the most part)

Two Austrian security experts analyzed the method the hackers used and found out, that they made a mistake.
Beat The Best
Microsoft Exchange
*IKARUS quick survey (Q1 / 2021): Cybersecurity in times of corona
Flash End