As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their mission-critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, there is a new critical alert that requires the mission-critical community’s immediate attention.
A Remote Code Execution (RCE) vulnerability exists in Windows Domain Name System (DNS) servers when requests are handled improperly. If a cyberattacker successfully exploits this vulnerability, it could give attackers the ability to execute code using administrator- or system-level privileges.
Technical Detail and Additional Information
Why Is This Noteworthy?
This RCE vulnerability, also known as SIGRed, was found by security researchers when a specially crafted request was sent to a vulnerable DNS server. DNS is part of the global internet infrastructure that translates website names into strings of numbers that computers need to find a website or send an email.
Regarding this vulnerability, when a DNS response is sent with a SIG record (i.e., signature record) that is greater than 64 kilobytes (KB), it causes a heap-based buffer overflow. When the request is sent through a Hypertext Transfer Protocol (HTTP) payload to a victim server over port 53, the server interprets the payload as a DNS query.
This overflow will cause the victim DNS server to act as a client, query a malicious DNS server and receive malicious responses. If this vulnerability is exploited, it can enable an attacker to execute code as a system or domain administrator. Additionally, if the vulnerability is wormable, meaning that the attach can spread from machine to machine without human intervention, the attacker then would have a foothold into the network that can be used for further exploitation. Although this has not occurred, the likelihood of this vulnerability being exploited is high.
What Are the Risks?
This vulnerability also applies to all devices running Windows Server, specifically those running the DNS server role. This means that all organizations and individuals who have unpatched servers configured to run this service are vulnerable to exploitation. If exploited, an attacker may be able to intercept and/or tamper with emails and network traffic, spread malware, harvest credentials, and/or steal information resulting in a Common Vulnerability Scoring System (CVSS) score of 10, indicating a severe threat.
What Are the Recommendations?
Microsoft released a patch that should be applied to all affected devices as soon as possible. For many systems, the patch was included in the monthly rollup. If patching affected devices is not possible immediately, the following registry change should be made to restrict the size of the largest inbound Transmission Control Protocol (TCP)-based DNS response packet allowed:
Value data: 0xFF00
Once implemented, the DNS service must be restarted for the change to take effect. Instructions provided by Microsoft for making this change can be accessed here.
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public-safety entities and other critical-infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.