Stories
Slash Boxes
Comments

SoylentNews is people

SIGRed (CVE-2020-1350) Critical Remote Code Execution Vulnerability on Microsoft DNS Servers

posted by martyb on Thursday July 16 2020, @05:01AM   Printer-friendly
from the Security dept.
Security

dluttrell writes:

PATCH NOW - SIGRed - CVE-2020-1350 - Microsoft DNS Server Vulnerability:

Yesterday, Microsoft released a patch for CVE-2020-1350, fixing a critical vulnerability in it's[sic] DNS server. The vulnerability is 17 years old. All current versions of Microsoft's server back to 2003 are affected. The vulnerability earned a CVSS score of 10, indicating that it allows a full remote system compromise without any authentication. An exploit could likely spread without user interaction ("wormable").

A server is vulnerable if the DNS role is enabled. Note that Active Directory and Kerberos require DNS, and domain controllers usually have the DNS role enabled. This will put the domain controller at risk!

The vulnerability is triggered by an oversized DNS response containing a "SIG" record.

The basic exploit flow would look like:

  • The attacker triggers a DNS query (for example, the victim visits a web page, or the attacker is sending an email to the victim). For a badly configured ("open recursive") name server, the attacker may just send a query to the name server directly.
  • The victim DNS server will query the attacker's name server via UDP. By default, name servers will send queries via UDP first.
  • The attacker responds with a truncated response, indicating that the response is too large for UDP.
  • The victim will now re-send the request via TCP
  • The attacker will respond with the exploit.

To trigger the exploit, the size of the response has to exceed 64kBytes. However, this does not mean that the attacker has to send more then 64kBytes (the attacker can't! DNS replies over TCP max out at 64kBytes). Instead, the attacker's response will take advantage of "pointers", to compress the response. It will be expanded (and trigger the exploit) on the victim's DNS server.

For more technical information, see: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Original Submission

This discussion has been archived. No new comments can be posted.
SIGRed (CVE-2020-1350) Critical Remote Code Execution Vulnerability on Microsoft DNS Servers | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 1, Funny) by Anonymous Coward on Thursday July 16 2020, @05:18AM

    by Anonymous Coward on Thursday July 16 2020, @05:18AM (#1022291)

    No more to say

  • (Score: 5, Insightful) by driverless on Thursday July 16 2020, @05:47AM

    by driverless (4770) on Thursday July 16 2020, @05:47AM (#1022298)

    Anyone remember the days when you could take out a Windows DNS server through such cunning black-hat tricks as sending multiple DNS queries to it?

  • (Score: 3, Insightful) by Anonymous Coward on Thursday July 16 2020, @05:55AM (4 children)

    by Anonymous Coward on Thursday July 16 2020, @05:55AM (#1022300)

    All these Microsoft articles are very interesting, from the "watching a shipwreck" perspective, but hardly something that is of interest to the majority of Soylentils? Maybe, Eds, we give it a rest, for a while? Nothing misleads young people than giving them the idea that Microsoft has anything to do with Science, Technology, Engineering, or Math! More like Skullduggery, Treason, Enemas, and Mendacity.

    • (Score: 2, Touché) by Anonymous Coward on Thursday July 16 2020, @06:45AM (3 children)

      by Anonymous Coward on Thursday July 16 2020, @06:45AM (#1022318)

      Useful for sysadmins. Some of us have Windows-using users.

      • (Score: 3, Insightful) by Unixnut on Thursday July 16 2020, @09:28AM (1 child)

        by Unixnut (5779) on Thursday July 16 2020, @09:28AM (#1022343)

        > Useful for sysadmins. Some of us have Windows-using users.

        Or MS loving bosses that insist we use MS for all our core services, including DNS (welcome to my world).

        • (Score: 2, Funny) by Anonymous Coward on Thursday July 16 2020, @12:55PM

          by Anonymous Coward on Thursday July 16 2020, @12:55PM (#1022380)

          Easy, just expose your Windows DNS server to the public internet, tip the BSA and wait for them to issue a fine for failing to have a Windows CAL for every citizen of the world.

      • (Score: 0) by Anonymous Coward on Thursday July 16 2020, @04:06PM

        by Anonymous Coward on Thursday July 16 2020, @04:06PM (#1022457)

        what does that have to do with anything? i doubt very seriously windows can't use a real dns server (linux).

  • (Score: 4, Interesting) by jb on Thursday July 16 2020, @06:11AM

    by jb (338) on Thursday July 16 2020, @06:11AM (#1022309)

    It's difficult to understand how so many otherwise rational people have put up with Microsoft's nonsense for so long.

    My pet theory is that it's a sort of software analogue of Stockholm syndrome: over the decades, users eventually grew to love being abused over and over again by their dodgy software vendor.

  • (Score: 1, Informative) by Anonymous Coward on Thursday July 16 2020, @01:00PM

    by Anonymous Coward on Thursday July 16 2020, @01:00PM (#1022382)

    Ouch. When I initially saw the announcement, I had assumed it was a bug in the DNS server, which isn't too severe because most domain controllers aren't directly accessible from the outside. But this being a DNS client error, means that all an attacker has to do is configure his own domain, and then send an e-mail with a link to his DNS name. It's very likely that the recipient's mail scanner will access the link to determine if the contents are harmful...

(1)