News

CISA Issues Emergency Directive on Windows Server DNS Vulnerability

• By Kurt Mackie
• 07/16/2020

The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of an emergency directive on patching a Windows Server Domain Name System (DNS) vulnerability (CVE-2020-1350).

Emergency Directive 20-03 is intended to advise federal executive branch departments, but the announcement noted also that "CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible."

Patch and Workaround
Microsoft released a patch and a Registry workaround for the Windows Server DNS vulnerability on Tuesday, indicating at the time that the flaw wasn't under active attack. However, CVE-2020-1350 is considered to be a "wormable" vulnerability, triggered remotely by a malicious request -- meaning that it could spread across networks like the infamous "WannaCry" (NotPetya) wiper malware of a few years back.

So far, CISA isn't aware of active exploits, but attackers could quickly get to that point, now that Microsoft has released a patch.

"The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch," Emergency Directive 20-03 explained.

The directive instructs federal agencies to either install the patch on July 17 on all Windows Servers with a DNS role or use the Registry workaround by that date. They should double check that the installations were successful a week later. IT pros should consider removing the Windows Servers that can't be updated within this time frame.

"In instances where servers cannot be updated within 7 business days, CISA advises agencies to consider removing them from their networks," the directive stated.

A '17-Year-Old Bug'
A technical explanation of the Windows Server DNS exploit was published in a July 14 blog post by Check Point Research. Microsoft's CVE-2020-1350 security bulletin credited Sagi Tzadik and Eyal Itkin of Check Point Research for disclosing the vulnerability. These researchers found a way to exploit a heap-based buffer overflow issue in Windows Server DNS.

"To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer," the researchers explained regarding the flaw.

The buffer overflow caused a server crash. However, the researchers further explained that "the heap can be shaped in a way that allows us to overwrite some meaningful values."

The Check Point researchers dubbed the vulnerability as "SIGRed," and described it as a "17 year-old bug in Windows DNS Servers."

The attack uses Port 53, and an exploit can be triggered remotely. In an accompanying video, the Check Point researchers showed the exploit getting triggered by an end user who clicks on a malicious link in an e-mail. The exploit also can get triggered via Microsoft's older browsers.

"In practice, most popular browsers (such as Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, so this bug can only be exploited in a limited set of web browsers -- including Internet Explorer and Microsoft Edge (non-Chromium based)," the researchers explained.

Workaround Advice
Many organizations have a lag with systems patching, and so they may resort to applying the Registry workaround. The workaround will limit the size of Windows Server DNS requests, thwarting the attack. It's a workaround, though, that modifies functionality.

Microsoft explained in a July 15-dated support article that "after the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes."

The workaround puts the server into a "non-standard use case" and it could "cause an unanticipated failure." IT pros should test if the workaround will have such untoward effects, the support article added:

To determine whether the server implementation will be adversely affected by this workaround, you should enable diagnostic logging, and capture a sample set that is representative of your typical business flow. Then, you will have to review the log files to identify the presence of anomalously large TCP response packets.

Microsoft added that "a restart of the DNS Service is required [for the workaround] to take effect."

CISA's emergency directive recommended removing the workaround when the patch for CVE-2020-1350 can be applied: "The registry modification workaround is compatible with the security update but should be removed once the update is applied to prevent potential future impact that could result from running a nonstandard configuration."

Organizations should not delay in applying this patch, according to Christopher C. Krebs, CISA's director.

"If you have Windows Servers running DNS, you should patch now," Krebs wrote. "Don't wait on this one."