Security researchers from Check Point Research discovered a critical vulnerability in DNS Server component of Windows Server, which affects every version of Windows Server released in the past 17 years and allows an attacker to fully compromise a system.
The vulnerability, identified as CVE-2020-1350 and named SigRed, belongs to remote code execution class of vulnerabilities, as its successful exploitation can allow an unauthenticated attacker to run malicious code via network on a vulnerable system. Exploitation is possible by sending a malicious DNS query to the Windows DNS Server, resulting in a buffer overflow.
Test the real-world effectiveness of your security controls while achieving compliance and protecting your brand.
Usually, exposed and potentially vulnerable components run with limited set of privileges, thus requiring attackers to pair remote code execution vulnerabilities with privilege escalation type of vulnerabilities. However, that is not the case with SigRed. DNS Server component runs with full system privileges, which means total system compromise after a successful exploitation. Ability to execute code via network also makes it highly wormable, with the potential to move throughout the entire company.
Because of its impact and network attack vector, SigRed has earned the highest possible CVSS score of 10.
Microsoft released a patch on 7/14/2020 for Windows Server 2008 and up, along with a mitigation for systems, which cannot immediately apply the patch. Customers are advised to patch as soon as possible, as there are proof of concepts already emerging on the Internet, allowing even technologically less advanced attackers to exploit the vulnerability.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive, that requires federal departments and agencies to apply the patch or disconnect any vulnerable systems. This is the second time the agency has released such directive since its formation in 2018.
It’s recommend for everyone to identify all the vulnerable systems and apply the patch as soon as possible. While there are no reports of active attacks yet, the real-life abuse of this vulnerability by threat actors is very likely.
Are your servers vulnerable?
Invest in A Penetration Test Today, Call LIFARS For More Information