Microsoft fixes 17-year-old wormable RCE vulnerability affecting Windows DNS Server
Microsoft has addressed a 17-year-old critical Remote Code Execution (RCE) vulnerability in Windows DNS Server. The company on Tuesday (July 14, 2020) released a security update that fixes CVE-2020-1350, a critical RCE vulnerability that is classified as a ‘wormable’ flaw. What’s more, it has a CVSS (Common Vulnerability Scoring System) base score of 10.0. Meaning, the flaw is consi110dered highly critical. Security flaws with CVSS score between 9.0 and 10.0 must be addressed and fixed on pri1ority..
What is CVE-2020-1350
According to security researchers who disclosed this vulnerability CVE-2020-1350, also known as ‘SIGRed,’ affects Windows Server versions 2003 to 2019. This wormable security vulnerability can be exploited, courtesy of a malicious DNS response. According to Microsoft, the actual cause behind the existence of this vulnerability is a loophole in Microsoft’s DNS server role implementation, which affects all Windows Server versions. However, non-Microsoft DNS Servers are not affected.
“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” said Mechele Gruhn, Principal Security PM Manager, Microsoft Security Response Center.
According to security researchers, the vulnerability ‘SIGRed’ can be triggered via a Web Browser application, courtesy of “smuggling DNS inside HTTP” requests on Microsoft Explorer and Microsoft Edge browsers. However, the new Chromium-based Edge, Chrome, and Firefox browsers are immune to this problem since they no longer accept HTTP requests over the standard DNS port.
Researchers could trigger the vulnerability by sending a link to a user in an email. When opened, this email would smuggle the DNS query inside of the HTTP request.
Well, CVE-2020-1350 happens to be the second major wormable flaw patched by Microsoft in the year 2020. To recall, the company released a patch in March, fixing CVE-2020-0796, a wormable RCE vulnerability known as EternalDarkness or SMBGhost. It was the result of a flaw in Microsoft Server Message Block 3.1.1.
In addition to a security update, a registry-based workaround is also available, which doesn’t require restarting the server:
You need to make the registry change, as follows:
Value = 0xFF00
It enables restricting the size of the largest inbound TCP-based DNS response packet. Once made the changes, simply restart the DNS Service.
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.