4
0 Comments

17 year old RCE vulnerability found in Microsoft DNS servers

by Rejah

A critical RCE vulnerability dubbed SIGRed has been found in Microsoft Windows DNS servers.

What's interesting is the fact that this vulnerability has been present for the past 17 years. It also has a CVSS base score of 10, the highest possible risk score.

The vulnerability is classified as a 'wormable' vulnerability, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.

This issue results from a flaw in Microsoft’s DNS server role implementation. It does not affect non-Microsoft DNS Servers. The main reason why this vulnerability exists is due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.

The flaw itself is an integer-overflow bug. It can trigger a heap-based buffer overflow attack tied to the DNS module named dns.exe, which is responsible for answering DNS queries on Windows Servers.

Impact

If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling an attacker to take control of the server. This makes it possible for an attacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials, etc.

As the service runs in elevated privileges, if it is compromised, an attacker is also granted Domain Administrator rights. In certain scenarios, the vulnerability can be triggered remotely through browser sessions.

How to Mitigate the SIGRed Vulnerability

Microsoft has released a patch to update the DNS server to the latest version. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server.

In order to work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

    Go to TcpReceivePacketSize and change the Value = 0xFF00

The Default (also max) Value = 0xFFFF and the Recommended Value = 0xFF00 (255 bytes less than the max).

Now restarting the DNS Service will allow the change to take effect.

posted to
Application Security
 on July 17, 2020
Say something nice to Rejah…
Post Comment
Trending on Indie Hackers
I've built a 2300$ a month SaaS out of a simple problem. 22 comments Where can I buy newsletter ad promos? 12 comments How would you monetize my project colorsandfonts? 8 comments How I built my SaaS in 2 weeks using NextJS and Supabase 6 comments Key takeaways growing MRR from $6.5k to $20k for my design studio 6 comments Tips on starting a startup 5 comments