Microsoft Windows is no stranger to security flaws. Researchers at Check Point Security recently discovered a critical vulnerability that has existed as far back as 2003. The vulnerability, known as RedSig, impacts Windows DNS Servers and is so bad it was given the highest possible score of a 10.0 on the Common Vulnerability Scoring System (CVSS). In most cases receiving a perfect score would be a good thing. That’s not the case with CVSS, which scores software vulnerabilities based on severity. Microsoft reacted quickly and issued a patch for Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350). The patch was released on July 14, 2020, and Microsoft strongly recommends that users deploy the patch as soon as possible to their affected Windows DNS Server versions from 2008 to 2019 to prevent exploitation of the vulnerability. Here is the link to Microsoft’s security advisory for RedSig https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350.
While critical vulnerabilities are common for Windows users, RedSig is distinct in that successful execution could result in the exploitation of full domain administrator rights. Once that happens, the entire network is at risk. To make matters worse, RedSig can be weaponized as a worm.
What is a worm?
A worm is a form of malware that copies itself from computer to computer without human interaction. To compare and give context, two other vulnerabilities that behaved like worms and caused catastrophic issues for enterprises include WannaCry and NotPetya.
That’s not all
The most horrifying part is that this affects multiple versions of Windows Servers. The National Institute for Standards and Technology, along with Mitre and other such entities have posted advisories on their sites indicating that the versions of Windows Server affected go back to 2008 sp2 and as current as Windows Server 2019 (https://nvd.nist.gov/vuln/detail/CVE-2020-1350). This leaves a lot of companies vulnerable to attack if they aren’t using automatic updates or simply haven’t been able to get the patch incorporated into their patching cadence.
If patching is not possible Microsoft has provided a registry-based workaround that restricts the size of the largest inbound TCP-based DNS response packet. Details for how to perform the registry workaround are provided on the Microsoft support portal (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability). As with all changes, TechGuard Security strongly recommends that you apply the patch or the registry workaround in your testing environment prior to deploying to your production environment.
Due to the scope of impacted servers, we recommend patching all your affected devices as soon as possible. Since DNS is part of the global internet infrastructure, this is sure to be another vulnerability that lingers for years to come.