The US DHS CISA issued an emergency directive urging government agencies to patch the recently disclosed SIGRed Windows Server DNS vulnerability within 24h due to the likelihood of the issue being exploited.
The issue received a severity rating of 10.0 on the CVSS scale and affects Windows Server versions 2003 to 2019.
The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS.
The vulnerability could be exploited by an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and take full control of an organization’s IT infrastructure.
An attacker could exploit the SigRed vulnerability by sending specially-crafted malicious DNS queries to a Windows DNS server.
“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” reads the analysis published by CheckPoint.
An attacker could exploit the issue to remotely execute arbitrary code, intercept and manipulate network traffic and steal sensitive data.
The flaw resides in how Windows DNS server handles an incoming DNS query, as well as how forwarded DNS queries are parsed.
The bug affects the DNS server component that ships with all Windows Server versions from 2003 to 2019.
CISA director Christopher Krebs considers the issue critical for government agencies due to the wide prevalence of Windows Server in civilian Executive Branch, it is also critical for organizations in the private sector.
“I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.” states Krebs.
“Today, I directed agencies to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.”
Krebs pointed out that the issue is “wormable,” this means that it can run independently and propagate copies to other vulnerable systems impacting all Windows Server versions that have the DNS role enabled.
The ED 20-03 emergency directive requires agencies to install the security patches within by Friday, July 17, 2020, 2:00 pm EDT.
In case agencies cannot be installed, CISA requires agencies to deploy a registry modification workaround detailed in the Microsoft advisory.
Agencies then have another week to remove the workaround and apply the security update. Servers that can’t be updated should be removed from an agency’s network, CISA said.
This emergency directive requires updating all endpoints running Windows Server operating systems. and reporting status report to CISA.
The good news is that at the time of writing, no proof-of-concept code for the SIGRed vulnerability is publicly available.
“The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch.” states the directive.
Recently security experts warned of other critical vulnerabilities that are easy to exploit, including issues in Palo Alto Networks’s PAN-OS, in F5 BIG-IP networking devices, and the SAP Recon vulnerability.
(SecurityAffairs – hacking, SigRed)