14.07.2020

SIGRed, not just another Microsoft vulnerability

Microsoft patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. According to researchers from Chek Point, the bug appears to have been around for nearly 20 years.

CVE-2020-1350, aka SIGred, is a wormable remote code execution flaw in the way Windows Server handles incoming DNS requests. According to Dustin Childs of the Trend Zero Day Initiative (ZDI), the flaw is exploited by sending a specially crafted, TCP DNS request to a vulnerable server, which triggers the execution of arbitrary malicious code at the level of the Local System account. This code can then install spyware, open a backdoor, and so on. That means game over: total control over the box. Childs also said the hole, a classic heap-based buffer overflow, is "wormable – at least between affected DNS servers."

What's more, the bug appears to have been around for nearly 20 years. Researchers at Check Point, who discovered and reported the flaw to Microsoft, reckon the vulnerability is exposed in Windows Server builds as far back as 2003.

More information about CheckPoints Research can be found here