Windows DNS servers susceptible to wormable 17-year-old SigRed flaw

A critical 17-year-old vulnerability has been uncovered in all Windows DNS servers, with administrators being urged to apply a workaround or patch from Microsoft as soon as possible.

The vulnerability, which has been given the name SigRed, was uncovered by Check Point Research and assigned the reference CVE-2020-1350.

The vulnerability stems from a flaw in how Windows DNS server handles signature (SIG) record queries.

A malicious SIG record over 64 kilobytes in size causes a heap buffer overflow allowing attackers to execute code with high privileges remotely, and take over vulnerable servers remotely.

Researchers are concerned that the vulnerability is easy to exploit, and that it will be incorporated in self-propagating malware, “worms” that spread uncontrollably.

“We believe that the likelihood of this vulnerability being exploited is high,” Check Point Research said in a detailed write-up. 

“Due to time constraints, we did not continue to pursue the exploitation of the bug ... but we do believe that a determined attacker will be able to exploit it. 

“Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially domain controllers. 

“In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS.

“We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability.”

Similar warnings were carried by the likes of the SANS Internet Storm Center, which tweeted:

“The Microsoft DNS SigRed vulnerability (CVE-2020-1350) : drop what you are doing and patch it now (if this isn’t what you are doing..).”

While the vulnerability has had security researchers concerned that a worm epidemic is on the horizon, the bug is easy to mitigate against.

Microsoft has issued guidance that advises on how to change the Registry system configuration database in Windows, to limit the largest size allowed for inbound TCP based DNS response packets.

But for those in a position to patch immediately, Microsoft recommended "to install the security update as soon as possible."