SIGRed – This is Not Just Another Vulnerability- Patch Now to Stop The Next Cyber Pandemic

By : Krishna Anindyo | Wednesday, July 15 2020 - 14:35 IWST

Check Point Software Technologies (Images by Acclaim)
Check Point Software Technologies (Images by Acclaim)

INDUSTRY.co.id - Imagine what could happen if someone was able to intercept and read every piece of your mail without your knowledge, before forwarding it on to you:  your new bank card, your replacement driver’s license or passport, letters from your doctor, application forms and more. It’s not hard to understand what that person could learn about you, and what damaging things they could do by copying or tampering with your mail.

Now imagine that a hacker could do the same on your organisation’s network, intercepting and manipulating users’ emails and network traffic, making services unavailable, harvesting users’ credentials and more. In effect, they would be able to seize complete control of your IT.

Check Point researchers recently discovered a critical vulnerability that would allow an attacker to do exactly this in Windows DNS Server, an essential component of any Windows network environment.  We reported it to Microsoft, who acknowledged it as a critical vulnerability (CVSS score 10.0 – indicating the highest possible severity) and issued an urgent patch for it. We strongly recommend users apply the patch to their affected Windows DNS Server versions from 2003 to 2019 to prevent the exploitation of this vulnerability.

Let’s take a closer look at what DNS is, and why this newly-discovered vulnerability is so critical.

Addressing the issue

DNS is part of the global internet infrastructure that translates the familiar website names that we all use, into the strings of numbers that computers need in order to find that website, or send an email. It’s the ‘address book’ of the internet. When you have a domain name – for example, www.checkpoint.com – you control what number that name resolves to via a ‘DNS record.

But what happens if someone is able to tamper with the DNS records your organisation’s network uses, to change the addresses that a website name translates to? Then it becomes a critical security issue – just like the example mentioned earlier, of someone intercepting and studying all of your mail.

To highlight just how dangerous a security problem DNS tampering can be, in 2019 the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the credentials for their Internet domain records, in response to an international Domain Name System (DNS) hijacking campaign. The perpetrators behind the campaign were able to steal email and other login credentials from a number of government and private sector entities in the Middle East by hijacking the DNS servers for these targets, so that all email and VPN traffic was redirected to Internet addresses controlled by the attackers.

A contagious flaw

The vulnerability that Check Point uncovered exposes all organisations using Windows Server versions 2003 to 2019 to exactly the same risks: if exploited, it would give a hacker Domain Administrator rights over the server, and compromise the entire corporate infrastructure.

The flaw is in the way the Windows DNS server parses an incoming DNS query, and in the way it parses a response to a forwarded DNS query. If triggered by a malicious DNS query (as detailed in our full research blog), it triggers a heap-based buffer overflow, enabling the hacker to take control of the server.

To add to the severity of the flaw, Microsoft described it as ‘wormable,’ which means that a single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction. As DNS security is not something many organisations monitor for, or have tight controls around, this means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organisation’s network within minutes of the first exploit.

Disclosure and mitigation

We disclosed our research findings to Microsoft on 19th May, and they responded quickly, creating the protection Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350). The patch is available from today, Tuesday 14 July.

We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability. We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.

News Comment

Today's Industry

Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)

Kamis, 06 Agustus 2020 - 18:15 WIB

Securing More with Less — How to Maximise Security Coverage while Reducing Costs Usings Hacker-Powered Security

Remember those days, pre-pandemic, when you thought your security scope was complex? But now, with employees working from home, new video and collaboration apps being rolled into daily workflows,…

Trisha Paine, Head of Cloud Marketing Programs, at Check Point Software Technologies

Kamis, 06 Agustus 2020 - 17:30 WIB

Striving to Achieve High Fidelity Cloud Security

Several attributes make posture management a particularly challenging component of maintaining cloud security. For starters, you cannot secure or scale a rapidly growing quantity and variety…

Luke Tucker, Senior Director of Community at HackerOne (Photo by Linkedin)

Rabu, 05 Agustus 2020 - 22:00 WIB

Security Engineers by Day, Hackers by Night – An Interview with Two of Singapore’s Top Ethical Hackers

Over the years, the perception of the term “hacker” has changed. Once seen as only criminals, there are now over 800,000 registered security professionals on HackerOne, the world’s trusted…

Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)

Rabu, 05 Agustus 2020 - 21:45 WIB

Developers are Not Security Experts, but They can be with The Right Tools

Software has revolutionised the way in which we work, live and play. This is particularly true in the realm of software security, as development teams are releasing code faster than ever before.

Darrell Adams, Head of Southeast Asia & Oceania, Universal Robots (Photo by LinkedIn)

Rabu, 05 Agustus 2020 - 21:25 WIB

5 Reasons Why You Need Collaborative Automation For Today's World

The benefits of collaborative automation are undisputed – more profitability, productivity, flexibility, higher quality and even more employee satisfaction.