SIGRed – This is Not Just Another Vulnerability- Patch Now to Stop The Next Cyber Pandemic

By : Krishna Anindyo | Wednesday, July 15 2020 - 14:35 IWST

Check Point Software Technologies (Images by Acclaim)
Check Point Software Technologies (Images by Acclaim) - Imagine what could happen if someone was able to intercept and read every piece of your mail without your knowledge, before forwarding it on to you:  your new bank card, your replacement driver’s license or passport, letters from your doctor, application forms and more. It’s not hard to understand what that person could learn about you, and what damaging things they could do by copying or tampering with your mail.

Now imagine that a hacker could do the same on your organisation’s network, intercepting and manipulating users’ emails and network traffic, making services unavailable, harvesting users’ credentials and more. In effect, they would be able to seize complete control of your IT.

Check Point researchers recently discovered a critical vulnerability that would allow an attacker to do exactly this in Windows DNS Server, an essential component of any Windows network environment.  We reported it to Microsoft, who acknowledged it as a critical vulnerability (CVSS score 10.0 – indicating the highest possible severity) and issued an urgent patch for it. We strongly recommend users apply the patch to their affected Windows DNS Server versions from 2003 to 2019 to prevent the exploitation of this vulnerability.

Let’s take a closer look at what DNS is, and why this newly-discovered vulnerability is so critical.

Addressing the issue

DNS is part of the global internet infrastructure that translates the familiar website names that we all use, into the strings of numbers that computers need in order to find that website, or send an email. It’s the ‘address book’ of the internet. When you have a domain name – for example, – you control what number that name resolves to via a ‘DNS record.

But what happens if someone is able to tamper with the DNS records your organisation’s network uses, to change the addresses that a website name translates to? Then it becomes a critical security issue – just like the example mentioned earlier, of someone intercepting and studying all of your mail.

To highlight just how dangerous a security problem DNS tampering can be, in 2019 the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the credentials for their Internet domain records, in response to an international Domain Name System (DNS) hijacking campaign. The perpetrators behind the campaign were able to steal email and other login credentials from a number of government and private sector entities in the Middle East by hijacking the DNS servers for these targets, so that all email and VPN traffic was redirected to Internet addresses controlled by the attackers.

A contagious flaw

The vulnerability that Check Point uncovered exposes all organisations using Windows Server versions 2003 to 2019 to exactly the same risks: if exploited, it would give a hacker Domain Administrator rights over the server, and compromise the entire corporate infrastructure.

The flaw is in the way the Windows DNS server parses an incoming DNS query, and in the way it parses a response to a forwarded DNS query. If triggered by a malicious DNS query (as detailed in our full research blog), it triggers a heap-based buffer overflow, enabling the hacker to take control of the server.

To add to the severity of the flaw, Microsoft described it as ‘wormable,’ which means that a single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction. As DNS security is not something many organisations monitor for, or have tight controls around, this means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organisation’s network within minutes of the first exploit.

Disclosure and mitigation

We disclosed our research findings to Microsoft on 19th May, and they responded quickly, creating the protection Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350). The patch is available from today, Tuesday 14 July.

We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability. We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.

News Comment

Today's Industry

L/R: Alwin Zecha, Founder - Pacific Leisure Group, Thailand; Hiran Cooray Chairman - Jetwing Symphony PLC, Sri Lanka; and Akbar Shareef, Chairman & Chief Executive - Rakaposhi Tours (Pvt) Ltd., Pakistan (Photo by Global Travel Media)

Jumat, 16 Oktober 2020 - 17:15 WIB

PATA Honours Industry Leaders, Pioneers and Professionals at 69th Annual General Meeting

The following awards were presented during the 69th Annual General Meeting held online PATA Gallery of Legends Award, PATA Life Membership, and PATA Chair’s Award.

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies (Photo by Linkedin)

Jumat, 16 Oktober 2020 - 17:00 WIB

3 Key Principles Businesses Must Keep In Mind When Securing the Remote Workforce

It is critical that organisations take steps to secure the remote workforce to prevent falling victim to the next cyber attack.

Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC) (Photo by Synopsys)

Kamis, 15 Oktober 2020 - 19:05 WIB

Common Questions When Establishing an Organisational Culture of DevSecOps

Organisations are introducing security earlier in the software development life cycle (SDLC) by expanding close collaboration between development and operations teams in the DevOps movement…

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies (Photo by Linkedin)

Rabu, 14 Oktober 2020 - 21:45 WIB

Securing the Remote Workforce in the New Normal — 5 New Cyberthreat Trends to Look Out For

Check Point Research have observed 5 new trends in cyberthreats that were triggered by the outbreak of the coronavirus.

Patrick Carey, Director, Product Marketing, Synopsys Software Integrity Group (Photo by LinkedIn)

Rabu, 07 Oktober 2020 - 16:15 WIB

Under Pressure: Managing The Competing Demands of Development Velocity and Application Security

Meaning, don’t worry about performance optimisations until your code actually does what it’s supposed to do, and don’t worry about code maintainability until after you know it both works…