Windows DNS Server: Wormable vulnerability
Microsoft has recently released an urgent update for their Windows DNS Server’s, this comes as Microsoft have released several other updates which require updating as soon as possible as part of their patch Tuesday release cycle. This update, which is wormable and can spread from machine to machine has been given the technical identification of: CVE-2020-1350 or otherwise known as SigRed and has the highest rating available, 10.0. Microsoft have provided their write up of the issue here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350.
The problem is with the Domain Name Server (DNS) component of Windows Servers. DNS, in simple terms, is a phone directory for the internet, it converts the plain text words that we use for website addresses and converts the into complex numbers, or IP addresses that computers can use and understand.
The security researchers which found the vulnerbaility gave it the name of SigRed, which, if exploited successfully could enable an attacker to gain full domain administrator rights over affected servers and so gain control of the network.This vulnerbaility affects all versions of Windows and should be patched imediately, for versions of Windows which are no longer supported, there is a manual registry fix which can be applied and is shown below.
How bad is it?
To see how bad the issue is, we can use the Internet of Things search engine, Shodan to scan for DNS and Windows Operating Systems. We can see there are 2,179 servers which are currently online and are exposed. However the problem just doesn’t stop here, this vulnerbaility can also be exploited from within the network, thereby putting every unpatched Windows DNS Server at risk. This is huge!
The following registry modification has been identified as a workaround for this vulnerability, if you are running a version of Windows which is no longer supported (Windows Server 2008 R2 and below), apply this to all your DNS servers.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
Note: A restart of the DNS Service will be required for the change to take effect.