Microsoft’s October Patch Tuesday addresses three critical security vulnerabilities in the Windows DNS client in Windows 8, Windows 10, and Windows Server 2012 and 2016.
The vulnerabilities affect the Microsoft’s implementation of one of the data record features used in the secure Domain Name System protocol, DNSSEC.
DNSSEC is a set of extensions to DNS that was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The answers from DNSSEC protected zones are digitally signed, a DNS resolver can verify the digital signature to check the integrity of the information compared with to the information published by the zone owner and served on an authoritative DNS server.
The heap buffer-overflow flaws, tracked as CVE-2017-11779, were reported by experts at security firm Bishop Fox, The issues are Windows DNSAPI Remote Code Execution flaws that could be exploited by an attacker to gain full control over the victim’s machine without user interaction.
Microsoft fixed the flaw by releasing the KB4042895 security update (OS Build 10240.17643).
According to Nick Freeman, the Bishop Fox researcher who discovered the vulnerabilities, the problem resides in the Microsoft’s implementation of the NSEC3 (Next Secure Record version 3) feature for DNSSEC.
“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”
“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”
Attackers can use malformed NSEC3 records to trigger the vulnerability and corrupt the memory of the DNS client, it can result in arbitrary code execution on the flawed system.
An attacker can trigger DNSSEC flaws in Windows only if it shares the same physical network as the targeted machine. An insider or an external attacker is in the condition to run a man-in-the-middle attack to intercept DNS requests from the victim’s machine could exploit the flaw.
“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.
An attacker can trigger the flaws by injecting a malicious payload into a DNS response to a Windows machine’s DNS request.
“If someone was using a corporate laptop at a coffee shop and on WiFi, or hacked your cable router and you got hit … giving the attacker an entry point into the network,” Freeman added. “They could then launch this attack against other systems on that network.”
Bishop Fox confirmed it is not aware of any public attacks exploiting this flaw.
“This is a very traditional vulnerability, so it’s reasonable” for most attackers to be able to exploit it, Freeman concluded.
(Security Affairs – DNSSEC, zero-day)