Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.
SIGRed was the standout among 123 CVEs Microsoft fixed as part of its monthly Patch Tuesday rollout. DNS experts say a combination of factors -- including ease of exploitation, severity of an attack, and shift in attacker techniques -- could make this vulnerability dangerous to companies that neglect to patch. It's possible businesses may not know they're exposed until it's too late.
"This is a vulnerability that's serious enough to give somebody access to the host that's actually running the Microsoft DNS Server," says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers, Liu explains.
SIGRed was named for SIG records, which can be used to trigger this vulnerability. Attackers would have to fashion and publish a SIG or RRSIG record on an authoritative DNS server on the Internet. From there, he adds, they would need to make an organization's DNS server look up that record. SIG records are not widely used; however, there are ways to do this. The Check Point researchers who discovered SIGRed found attackers could simply get someone to visit a web page in order to induce the browser into sending a DNS query to a nearby DNS server.
Successful attackers could achieve domain administrator rights and compromise the entire corporate infrastructure. They might launch a botnet running at a high-privilege level inside a number of businesses or use their access as a launch point for further malicious activity. And, as DNS experts point out, they don't need to be sophisticated to pull this off.
"This one is highly exploitable by people who don't need significant technical knowledge," says Rodney Joffe, senior vice president and security CTO at Neustar, who notes the shift to working from home could put businesses at greater risk as attackers target remote employees. Without the protections of corporate offices, it's easier and more appealing for adversaries to break in.
Rather than targeting a large enterprise environment, attackers can now target thousands of employees who need privileged access to do their jobs. They only need to get onto their home networks and move laterally to find someone working on a personal device. This shift, combined with the easily exploitable SIGRed vulnerability, creates "a perfect storm online," Joffe explains.
"From an enterprise point of view, this is one of the top two or three things that need to be patched very, very quickly [from] over the past year," he adds.
As Check Point researchers point out, this vulnerability could have a severe impact. It's common to find unpatched Windows domain environments, especially domain controllers, and some Internet service providers may have set up their public DNS servers as Windows DNS.
Gotta Patch 'Em All
Large enterprises can't afford to wait until their next patching cycle to apply the fix for SIGRed. Now that it has been disclosed, it's likely attackers are scanning for, and identifying, vulnerable systems online. Applying the fix may not be easy for businesses running Windows DNS Server.
IT admins may run into challenges with computers running DNS servers and domain controllers on the same machine.
"If you have folks running domain controllers, you don't want to be interrupting service on those boxes," Liu says. "People are very sensitive to doing any kind of maintenance on a domain controller if it might impair that box's functionality, since they're so critical to letting people log in and access resources within the domain."
A big problem, especially in legacy environments, is these machines are often overlooked. This vulnerability is 17 years old, meaning there are likely devices that haven't had problems and won't be upgraded because admins don't realize they're running Windows DNS Server. It's these machines that could prove the greatest threat if they aren't patched quickly.
Joffe advises monitoring all internal traffic for DNS traffic coming from unknown, unidentified, and unexpected Windows machines. In addition to commercial offerings, there's a number of open source and community-based services businesses can use to watch their traffic. He cites Spamhaus, Surbl, Shadowserver, and Dissect Cyber as examples of open source initiatives.
"Please find out what kind of shadow IT, what kind of abandonware, what kind of systems may be carrying data for your enterprise, in your role as a counterparty to the people outside your enterprise," urges Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Do the audit, do the fixing, hire a consultant if you have to, hire an MSSP … find every Windows server doing something at every IP address in your network."
The damage from SIGRed will not come immediately, Vixie says, but in the long term due to organizations that didn't do their due diligence.
Consider a Heterogeneous Infrastructure
SIGRed is an example of how businesses may benefit from a heterogeneous DNS infrastructure, Liu says. If Microsoft's DNS servers forwarded to another type of DNS server without this vulnerability, then an attacker wouldn't be able to exploit SIGRed to compromise them.
"If you go all in with a particular provider or particular technology, you can pay the price," he says. Liu cites the 2016 Dyn DDoS attack as an example of what could happen if an organization puts "all their eggs in one basket." Many of the companies that went down in the Dyn attack solely used Dyn as their DNS infrastructure, he says.
Running a heterogeneous infrastructure may be more onerous compared with only using Windows DNS, Liu says. In his experience, he continues, open source DNS implementations like Bind and Unbound tend to have more security features than Microsoft DNS Server, which historically ran on enterprise WANs and lacks many advanced DNS security features businesses may want for a server that's directly exposed to the Internet.