News: 0133358722

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft Warns of a 17-Year-Old 'Wormable' Bug (wired.com)

(Tuesday July 14, 2020 @07:30PM (msmash) from the watch-out dept.)


Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially "wormable" vulnerability -- meaning an attack can spread from one machine to another with no human interaction -- has [1]appeared in Microsoft's implementation of the domain name system protocol , one of the fundamental building blocks of the internet. From a report:

> As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years. Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.

>

> On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you're inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It's basically game over." Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)



[1] https://www.wired.com/story/sigred-windows-dns-flas-wormable/

Decades of DNS negligence (Score:5, Insightful)

by dicobalt ( 1536225 )

Until very recently DNS has been woefully overlooked from a security standpoint. I'm sure there are many more bugs waiting to be revealed. Meanwhile the ISPs are fighting to keep DNS insecure for "marketing purposes" because secure DNS "breaks the internet".

Re: (Score:2)

by Train0987 ( 1059246 )

This bug lives in the code for DNSSEC though.

"Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC"

Re: (Score:1)

by minorityreport ( 6925286 )

[1]Train0987 [slashdot.org]: ‘This bug lives in the code for DNSSEC though.’

“ Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC ”

[2]ref [wired.com]: “ That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target se

[1] https://it.slashdot.org/comments.pl?sid=16776200&cid=60298346

[2] https://www.wired.com/story/sigred-windows-dns-flas-wormable/

Re: (Score:2)

by nuckfuts ( 690967 )

> Until very recently DNS has been woefully overlooked from a security standpoint.

What makes you say that? I seem to recall many vulnerabilities being addressed over the years, in software like BIND for example. People even went so far as to write [1]alternative software [wikipedia.org] from the ground up.

> Meanwhile the ISPs are fighting to keep DNS insecure for "marketing purposes" because secure DNS "breaks the internet".

There are two different ways that DNS could be "insecure". One way (that you are referencing) is that other people on the Internet can know what names you're doing queries on. This is "insecure" in terms of privacy.

The other type of "insecure" is when a DNS server gets owned due to a software vulnerabilit

[1] https://en.wikipedia.org/wiki/Unbound_(DNS_server)

Re: (Score:2)

by fred911 ( 83970 )

''DNS has been woefully overlooked from a security standpoint.''

Absolutely. The attack is dependant upon the ability to feign the resultant LP attached to the misdirection and the payload or utility of the result. So it's not a kiddy scrip.

But 17 years.. tell me it's not been exploited millions of times before even three years ago.

Shameful.

Great (Score:2)

by Train0987 ( 1059246 )

That's nice of Checkpoint to wait a whole hour after the patch is available to detail this 10/10 threat to the world. I'm sure everyone is already patched up and this won't cause any problems at all.

Re:Great (Score:5, Informative)

by BeerFartMoron ( 624900 )

Microsoft released the patch at 1:00PM ET today along with their [1]KB articles [microsoft.com]. You can download the patch for yourself and reverse engineer it without the Checkpoint write-up or any other of the multiple write-ups currently available on the Internet. Just patch any Windows DNS servers you might have and relax.

Or apply the workaround (no reboot needed, only a DNS service restart) and then apply the patches per your normal maintenence schedule.

> To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

> DWORD: TcpReceivePacketSize

> Value = 0xFF00

[1] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Thank Microsoft for that (Score:2)

by DesScorp ( 410532 )

> That's nice of Checkpoint to wait a whole hour after the patch is available to detail this 10/10 threat to the world. I'm sure everyone is already patched up and this won't cause any problems at all.

Apparently MS wanted this on the down low as long as possible. From the article:

Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers

Re: (Score:1)

by Train0987 ( 1059246 )

Yes they could've let it fly under the radar for a few weeks instead of painting a big bullseye on every corp network on the planet.

Re: (Score:2)

by tlhIngan ( 30335 )

>> That's nice of Checkpoint to wait a whole hour after the patch is available to detail this 10/10 threat to the world. I'm sure everyone is already patched up and this won't cause any problems at all.

> Apparently MS wanted this on the down low as long as possible. From the article:

> Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers

Or they wanted to let Check Point release the de

Blend until smooth.