Threat Alert

by IthacaLabs™

THREAT LEVEL/High 15/07/2020

New Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new highly critical wormable vulnerability (CVE-2020-1350), affecting Microsoft Windows DNS Servers, has been identified.

This flaw, named “SigRed”, is a 17-year-old remote code execution vulnerability that resides in the way that the Microsoft Windows DNS Servers handle specific requests. An attacker could gain domain administrator privileges over targeted servers and seize complete control of an organization’s IT infrastructure.

An unauthenticated remote attacker could exploit this issue by sending crafted malicious DNS queries to a Windows DNS server in order to achieve arbitrary code execution. This could lead to the interception and manipulation of users’ emails and network traffic and to the harvesting of users’ credentials. Furthermore, the exploitation of “SigRed” could result in denial of service conditions.

Note that the flaw is wormable in nature, allowing malicious actors to launch an attack that can spread from one vulnerable computer to another without any human interaction.

CVE(s)

CVE-2020-1350

BASE SCORE: 10 High
VECTOR: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.

Affected Systems

  • Microsoft Windows Server versions 2003 to 2019
  • Recommendation(s)

    You should immediately proceed and apply the latest relevant security patches available from the vendor. Also, you should update the Microsoft Windows Server OS to its latest version.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.