Published in News

SigRed bug worms into Windows DNS

by on15 July 2020

Microsoft warns the 17 year old bug is critical

A potentially "wormable" vulnerability -- meaning an attack can spread from one machine to another with no human interaction -- has appeared in Microsoft's implementation of the domain name system protocol.

As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed.

SigRed exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organisation around the world.

The bug, Check Point says, has existed in that software for a remarkable 17 years. Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry standard severity rating.

Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive - a foothold in one would allow further penetration into other devices inside an organisation.

Check Point's head of vulnerability research Omri Herscovici said the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack.

"It requires no interaction. And not only that, once you are inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy… It's basically game over", Herscovici said.

Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows hackers to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server.

Last modified on 15 July 2020
Rate this item
(3 votes)

Read more about: