Microsoft urges patching severe-impact, wormable server vulnerability

  News
image_pdfimage_print
A data center stock photo. I spy with my little eye some de-badged EMC Symmetrix DMX-3 or DMX-4 disk bays at right and some de-badged EMC CX disk bays at left. Disk arrays like these are a mainstay of traditional enterprise data center SANs.
Enlarge / A data center stock photo. I spy with my little eye some de-badged EMC Symmetrix DMX-3 or DMX-4 disk bays at right and some de-badged EMC CX disk bays at left. Disk arrays like these are a mainstay of traditional enterprise data center SANs.

Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer.

The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday.

Both Microsoft and the researchers from Check Point, the security firm that discovered the vulnerability, said that it’s wormable, meaning it can spread from computer to computer in a way that’s akin to falling dominoes. With no user interaction required, computer worms have the potential to propagate rapidly just by virtue of being connected and without requiring end users to do anything at all.

When a worm’s underlying vulnerability easily allows malicious code to be executed, exploits can be especially pernicious, as was the case with both the WannaCry and NotPetya attacks from 2016 that shut down networks worldwide and caused billions of dollars in damage.

Check Point researchers said that the effort required to exploit SigRed was well within the means of skilled hackers. While there’s no evidence that the vulnerability is actively under exploit at the moment, Check Point said that’s likely to change, and if it does, the destructive effects would be high.

In a technical analysis, Sagi Tzadik, the company researcher who found the vulnerability in May and privately reported it to Microsoft, wrote:

We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug. Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.

In a brief writeup here, Microsoft analysts agreed the underlying heap-based buffer overflow was wormable. The company also rated the chances of exploitation as “more likely”. Many outside researchers concurred.

“If I’ve understood the article correctly, calling it ‘wormable’ is actually an understatement,” Vesselin Vladimirov Bontchev, a security expert who works for the National Laboratory of Computer Virology in Bulgaria, wrote on Twitter. “It’s suitable for flash worms a la Slammer, which infected the whole population of vulnerable computers on the Internet in something like 10 minutes flat.”

Bontchev was disagreeing with fellow security researcher Marcus Hutchins, who said he thought it was more likely attackers would exploit SigRed in an attempt to wage crippling ransomware campaigns. In that scenario, attackers would take control of a network’s DNS server and then use it to push malware to all connected client computers. Slammer is a reference to SQL Slammer, a worm from 2003 that exploited two vulnerabilities in Microsoft’s SQL Server. Within 10 minutes of being activated, SQL Slammer infected more than 75,000 machines, some of them belonging to Microsoft.

Organizations that use Windows DNS should carefully assess the risks and install Tuesday’s patch as soon as possible. For those who can’t patch immediately, Microsoft offered stopgap measures people can take in the write up linked above.

https://arstechnica.com/?p=1691743