SigRed: “New” Windows DNS Vulnerability Scores 10/10 on CVSS Scale

What was computer-related life like in 2003? For starters: the iTunes store just opened, miniSD cards and DDR2 SDRAM were just hitting the market, and AMD released their first 64-bit processor. A vulnerability affecting Windows DNS, dubbed SigRed, has remained undetected for 17 years until found by Check-Point researchers earlier this year.

Security researchers at Checkpoint were looking for a vulnerability that would allow an attacker to compromise a Windows Domain environment in a different way than the usual Server Message Block or Remote Desktop Protocol exploits when they came upon this vulnerability. They certainly found a winner, with SigRed receiving a CVSS score of 10, the highest possible severity on the scale and fairly rare. Not only does this vulnerability allow an attacker to achieve re-mote code execution on the server, but it is also wormable. This means that with just one exploit of the system, malware can spread quickly throughout the entire network without any human interaction. For instance, WannaCry and NotPetya were both wormable pieces of malware.

The vulnerability itself lies in the DNS module dns.exe and relies on an integer-overflow bug that leads to a heap-based buffer overflow. How the DNS server parses incoming DNS queries and how it parses responses for forwarded que-ries both provide avenues of attack to take advantage of. One of the response types for a Secure Internet Access (SIG) query was used by CheckPoint research-ers to exceed the maximum request size of 65,535 bytes, leading to the name SigRed. Another path for exploiting this vulnerability can be done remotely us-ing HTTP requests that are carrying DNS queries. While Google Chrome and Mozilla Firefox aren’t vulnerable to this attack, Microsoft Internet Explorer and Edge browsers can be used. The malicious request can be sent to TCP port 53 (UDP port 53 is the common DNS port) on a vulnerable server and the data will be interpreted as if it were a DNS query since Windows DNS support DNS over TCP.

SigRed can allow an unauthenticated attacker to run commands on the vulnera-ble Windows Server system as a local system admin, and with the wormable attribute it can compromise an entire organization within minutes of the initial exploit. This, coupled with the high chances of exploitation especially with the flaw being public knowledge now, led to the recommendation that all Windows Server 2003-2019 systems be updated with the new patch Microsoft released this week. If the patch can’t be implemented quickly, there is a workaround involving changing a registry key to limit the size of DNS TCP packets that are received.