Windows DNS Seeing Red

Author: Mike Nerek

Date: 15th July 2020

Yesterday, Microsoft released a patch to a 17-year-old critical vulnerability that researchers Sagi Tzadik and Eyal Itkin at Check Point Research recently unearthed in Windows’ DNS server software. The vulnerability allows for total system compromise, scoring it a 10 on the Common Vulnerability Scoring System.

Microsoft included the security update in yesterday’s patch Tuesday update, on July 14th. Thanks to our continuous monitoring capabilities, Oversight clients have already been notified about any instances on their networks. We have also offered all our clients a complimentary scan to determine whether they were affected. If you’re concerned or would like a complimentary scan of your network perimeter, please get in touch.

The vulnerability is a heap-based buffer overflow, triggerable via a specifically crafted DNS request. It is accessible not only locally, but also through DNS over TCP, meaning numerous environments can be compromised unauthenticated over the internet. Researcher Sagi Tzadik said:

“… if [SIGRed is] exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.”

The mitigation is available as a security patch right now. Where patching is unavailable a temporary workaround has been released by Microsoft. The workaround sets an upper limit on the size of inbound DNS requests that the server will process, thusly preventing the buffer overflow. A full patch of all affected systems is still advised where possible.