Patch Tuesday (July 2020): Microsoft Fixes a 17-Year-Old Flaw Found in Windows DNS Servers
The vulnerability has been rated 10.0 in terms of severity. The flaw could be exploited anytime soon, so it’s crucial for all organizations to patch their systems
The recurring monthly security updates from Microsoft are now out. In the July 2020 Patch Tuesday, the Redmond giant released updates to fix 123 vulnerabilities found in Windows and other software. The most notable one is a critical, wormable vulnerability spotted in Windows Server versions from 2003 to 2019. According to Microsoft, the flaw could be exploited anytime soon, so it’s crucial for all organizations to patch their systems as soon as possible as an entire organization’s network could become compromised. Even though none of the vulnerabilities have been spotted being exploited in the wild so far, we urge you to prioritize this serious security issue and apply your updates immediately!
CVE-2020-1350 has been given a CVSS severity score of 10.0
CVE-2020-1350, dubbed SigRed, is the most recent major concern for system administrators in charge of patching. This is a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that has been classified as a wormable (self-propagating) vulnerability. It has been rated by Microsoft with a CVSS base score of 10.0, being the result of a flaw in Microsoft’s DNS server role implementation. It affects all Windows Server versions (keep in mind that non-Microsoft DNS Servers are not affected). Basically, an exploitable vulnerability in Windows Server could allow attackers to install malware by sending a specially crafted DNS request.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Why is this vulnerability highly dangerous?
All wormable vulnerabilities can be passed on from endpoint to endpoint through malware without the need for any user interaction. The Windows DNS server is the main network component and if a compromised user with elevated privilege becomes compromised, the attacker could also be granted admin rights. In some cases, the vulnerability can be leveraged remotely through the browser. The attacker could take control of the server and perform malicious actions such as gain complete access to the network, steal the employees’ credentials, etc. No one has reported the weakness having been exploited in the wild (as of yet), but Microsoft still advises everyone to apply the updates.
“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible”. “DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high-level domain accounts.”, writes Microsoft.
As reported by ZDNet, the issue has been lingering in Microsoft’s code for 17 years, yet there is no evidence that it has ever been abused in the real world.
Is there a workaround for SigRed?
Even though we don’t advise you to delay the patching process, if you are unable to quickly apply the patches, there is a registry-based workaround available that can be implemented without requiring an administrator to restart the server. You can find guidance for the DNS Server Vulnerability CVE-2020-1350 on Microsoft’s support page until you manage to apply the patch over the next few days. What you need to do is make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS
Once you apply this temporary workaround, a Windows DNS server will not be able to resolve DNS names for its clients when the DNS response is larger than 65280 bytes.
What other flaws are addressed in the July 2020 Patch Tuesday
CVE-2020-1350 is not the only alarming vulnerability fixed in this month’s Patch Tuesday. Another 17 critical vulnerabilities found in Microsoft software could allow for remote code execution without user intervention. In most cases, users whose accounts have fewer rights on the system would be less impacted than the ones who have been granted admin rights. This means that attackers could perform malicious actions on behalf of the targeted user, should they be operating with elevated permissions. Referring to the July 2020 Patch Tuesday, we would like to point out the vulnerabilities below.
- Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)
- Microsoft Excel (CVE-2020-1240)
- Microsoft Outlook (CVE-2020-1349)
- Microsoft SharePoint (CVE-2020-1444)
Should they become successfully exploited, they would allow for Remote Code Execution. This month’s security updates address the vulnerabilities by correcting how each piece of software handles files in memory.
Heimdal™ Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
HeimdalTM Security customers using either Heimdal™ Threat Prevention (or its built-in Patch management software module) with automatic updates turned on do not need to take any action, as they are fully protected. Heimdal™ Patch & Asset Management is the easiest solution to patch management with customizable set-and-forget settings for Automatic deployment of software and updates, which guarantees full compliance and a CVE/CVSS audit trail. We deliver updates fully repackaged, ad-free, and tested, using encrypted packages through HTTPS transfers. The distribution is also optimized locally using a P2P network between the customer’s own endpoints, and the software center allows customers to remove admin rights and permit their users to click-and-install pre-approved software only. Get in touch with us today and learn how patch management can truly become easy!