Tuesday, March 2, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers

July 15, 2020
in Internet Privacy
17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Cybersecurity researchers today disclosed a new highly critical “wormable” vulnerability—carrying a severity score of 10 out of 10 on the CVSS scale—affecting Windows Server versions 2003 to 2019.

The 17-year-old remote code execution flaw (CVE-2020-1350), dubbed ‘SigRed‘ by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization’s IT infrastructure.

You might also like

Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions

Why do companies fail to stop breaches despite soaring IT security investment?

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

A threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and much more.

In a detailed report shared with The Hacker News, the Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread from one vulnerable computer to another without any human interaction.

“A single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction,” the researcher said.

“This means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organization’s network within minutes of the first exploit.”

After the cybersecurity firm responsibly disclosed its findings to Microsoft, the Windows maker prepared a patch for the vulnerability and rolling it out starting today as part of its July Patch Tuesday, which also includes security updates for 122 other vulnerabilities, with a total 18 flaws listed as critical, and 105 as important in severity.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install patches immediately.

“Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Microsoft said.

Crafting Malicious DNS Responses

Stating that the objective was to identify a vulnerability that would let an unauthenticated attacker compromise a Windows Domain environment, Check Point researchers said they focused on Windows DNS, specifically taking a closer look at how a DNS server parses an incoming query or a response for a forwarded query.

A forwarded query happens when a DNS server cannot resolve the IP address for a given domain name (e.g., www.google.com), resulting in the query being forwarded to an authoritative DNS name server (NS).

To exploit this architecture, SigRed involves configuring a domain’s (“deadbeef.fun”) NS resource records to point to a malicious name server (“ns1.41414141.club”), and querying the target DNS server for the domain in order to have the latter parse responses from the name server for all subsequent queries related to the domain or its subdomains.

With this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries (“dns.exe!SigWireRead”) to send a DNS response that contains a SIG resource record larger than 64KB and induce a “controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”

Put differently; the flaw targets the function responsible for allocating memory for the resource record (“RR_AllocateEx”) to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected.

But with a single DNS message limited to 512 bytes in UDP (or 4,096 bytes if the server supports extension mechanisms) and 65,535 bytes in TCP, the researchers found that a SIG response with a lengthy signature alone wasn’t enough to trigger the vulnerability.

To achieve this, the attack cleverly takes advantage of DNS name compression in DNS responses to create a buffer overflow using the aforementioned technique to increase the allocation’s size by a significant amount.

Remote Exploitation of the Flaw

That’s not all. SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers’ support for connection reuse and query pipelining features to “smuggle” a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control.

What’s more, the bug can be further exploited to leak memory addresses by corrupting the metadata of a DNS resource record and even achieve write-what-where capabilities, allowing an adversary to hijack the execution flow and cause it to execute unintended instructions.

Surprisingly, DNS clients (“dnsapi.dll”) are not susceptible to the same bug, leading the researchers to suspect that “Microsoft manages two completely different code bases for the DNS server and the DNS client, and does not synchronize bug patches between them.”

Given the severity of the vulnerability and the high chances of active exploitation, it’s recommended that users patch their affected Windows DNS Servers to mitigate the risk.

As a temporary workaround, the maximum length of a DNS message (over TCP) can be set to “0xFF00” to eliminate the chances of a buffer overflow:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f

net stop DNS && net start DNS

“A DNS server breach is a very serious thing. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released,” Check Point’s Omri Herscovici told The Hacker News.

“Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network.”


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

Google Cloud wants to lift and shift your existing workloads

Next Post

Grandpa, tell me about the days before the Great Distancing

Related Posts

Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions
Internet Privacy

Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions

March 2, 2021
Why do companies fail to stop breaches despite soaring IT security investment?
Internet Privacy

Why do companies fail to stop breaches despite soaring IT security investment?

March 2, 2021
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
Internet Privacy

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

March 2, 2021
SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020
Internet Privacy

SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020

March 1, 2021
Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
Next Post
Grandpa, tell me about the days before the Great Distancing

Grandpa, tell me about the days before the Great Distancing

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Scientists have built this ultrafast laser-powered random number generator
Internet Security

Scientists have built this ultrafast laser-powered random number generator

March 2, 2021
Companies in the Global Data Science Platforms Resorting to Product Innovation to Stay Ahead in the Game
Data Science

Companies in the Global Data Science Platforms Resorting to Product Innovation to Stay Ahead in the Game

March 2, 2021
Aries becomes next Hyperledger project graduating to active status
Blockchain

Aries becomes next Hyperledger project graduating to active status

March 2, 2021
Government trialling machine learning tech to detect pests at shipping ports
Machine Learning

Government trialling machine learning tech to detect pests at shipping ports

March 2, 2021
Data Annotation Service: a Potential and Problematic Industry Behind AI | by ByteBridge
Neural Networks

Data Annotation Service: a Potential and Problematic Industry Behind AI | by ByteBridge

March 2, 2021
SolarWinds security fiasco may have started with simple password blunders
Internet Security

SolarWinds security fiasco may have started with simple password blunders

March 2, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Scientists have built this ultrafast laser-powered random number generator March 2, 2021
  • Companies in the Global Data Science Platforms Resorting to Product Innovation to Stay Ahead in the Game March 2, 2021
  • Aries becomes next Hyperledger project graduating to active status March 2, 2021
  • Government trialling machine learning tech to detect pests at shipping ports March 2, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates