Since WannaCry and NotPetya came online a little over three years ago. The security industry has investigated every new Windows bug that could create a similar earth-shattering worm. A potentially “wormable” vulnerability has occurred in the implementation of Microsoft’s Domain Name System protocol, one of the cornerstones of the Internet, that is, an attack can spread from one computer to another without human interaction.
As part of the Patch Tuesday series of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point that researchers at SigRed named. The SigRed bug takes advantage of Windows DNS, one of the most popular types of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically all small and medium-sized companies around the world. The bug, says Check Point, has been in this software for a remarkable 1
Check Point and Microsoft warn that the error is critical, 10 out of 10 in the general vulnerability assessment system, an industry-standard severity. Not only is the error bad, Windows DNS software often runs on the powerful servers called domain controllers that set the rules for networks. Many of these machines are particularly sensitive; A stop in one would allow further intrusion into other devices within an organization.
In addition, according to Omri Herscovici, head of vulnerability research at Check Point, the Windows DNS error can in some cases be exploited without the target user doing anything that leads to a seamless and powerful attack. “It does not require any interaction. And not only that, once you are in the domain controller that is running the Windows DNS server, it is really easy to extend your control over the rest of the network,” says Omri Herscovici. “Basically the game is over.”
Check Point found the SigRed vulnerability in the part of Windows DNS that processes a particular piece of data that is part of the key exchange used in the more secure version of DNS called DNSSEC. This one piece of data can be maliciously created so that Windows DNS allows a hacker to overwrite blocks of memory that he should not have access to and ultimately achieve full remote code execution on the target server. (According to Check Point, Microsoft asked the company not to publish too many details of other elements of the technology, including bypassing certain security features on Windows servers.)
For the remote, no-interaction attack described by Check Point’s Herscovici, the target DNS server would have to be exposed directly to the Internet, which is rare on most networks. Administrators generally run Windows DNS on servers that they keep behind a firewall. However, Herscovici points out that a hacker who can access the local network via the company’s WLAN or connect a computer to the corporate LAN can trigger the same DNS server takeover. The vulnerability could also be exploited only with a link in a phishing email: If you persuade a target to click this link, the browser initiates the same key exchange on the DNS server, which gives the hacker full control over it gives.
Check Point has only shown that a target DNS server can crash and not hijack with this phishing trick. However, former National Security Agency hacker and founder of Rendition Infosec, Jake Williams, says it is likely that the phishing trick could be refined to allow full takeover of the target DNS server in the vast majority of networks, that do not block outgoing traffic on their firewalls. “With some careful editing, you could probably target DNS servers behind a firewall,” Williams said.
Who is affected?
While many large organizations use the BIND implementation of DNS running on Linux servers, Williams says smaller organizations typically run Windows DNS, so thousands of IT administrators are likely to have to rush to fix the SigRed error. And because the SigRed vulnerability has been in Windows DNS since 2003, virtually every version of the software is vulnerable.