Imagine what could happen if someone was able to intercept and read every piece of your mail without your knowledge, before forwarding it on to you: your new bank card, your replacement driver’s license or passport, letters from your doctor, application forms and more. It’s not hard to understand what that person could learn about you, and what damaging things they could do by copying or tampering with your mail.
Now imagine that a hacker could do the same on your organization’s network, intercepting and manipulating users’ emails and network traffic, making services unavailable, harvesting users’ credentials and more. In effect, they would be able to seize complete control of your IT.
Check Point researchers recently discovered a critical vulnerability that would allow an attacker to do exactly this in Windows DNS Server, an essential component of any Windows network environment. We reported it to Microsoft, who acknowledged it as a critical vulnerability (CVSS score 10.0 – indicating the highest possible severity) and issued an urgent patch for it. We strongly recommend users apply the patch to their affected Windows DNS Server versions from 2003 to 2019 to prevent the exploitation of this vulnerability.
Let’s take a closer look at what DNS is, and why this newly-discovered vulnerability is so critical.
Addressing the issue
DNS is part of the global internet infrastructure that translates the familiar website names that we all use, into the strings of numbers that computers need in order to find that website, or send an email. It’s the ‘address book’ of the internet. When you have a domain name – for example, www.checkpoint.com – you control what number that name resolves to via a ‘DNS record.’
But what happens if someone is able to tamper with the DNS records your organization’s network uses, to change the addresses that a website name translates to? Then it becomes a critical security issue – just like the example mentioned earlier, of someone intercepting and studying all of your mail.
To highlight just how dangerous a security problem DNS tampering can be, in 2019 the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the credentials for their Internet domain records, in response to an international Domain Name System (DNS) hijacking campaign. The perpetrators behind the campaign were able to steal email and other login credentials from a number of government and private sector entities in the Middle East by hijacking the DNS servers for these targets, so that all email and VPN traffic was redirected to Internet addresses controlled by the attackers.
A contagious flaw
The vulnerability that Check Point uncovered exposes all organizations using Windows Server versions 2003 to 2019 to exactly the same risks: if exploited, it would give a hacker Domain Administrator rights over the server, and compromise the entire corporate infrastructure.
The flaw is in the way the Windows DNS server parses an incoming DNS query, and in the way it parses a response to a forwarded DNS query. If triggered by a malicious DNS query (as detailed in our full research blog), it triggers a heap-based buffer overflow, enabling the hacker to take control of the server.
To add to the severity of the flaw, Microsoft described it as ‘wormable,’ which means that a single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction. As DNS security is not something many organizations monitor for, or have tight controls around, this means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organization’s network within minutes of the first exploit.
Disclosure and mitigation
We disclosed our research findings to Microsoft on 19th May, and they responded quickly, creating the protection Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350). The patch is available from today, Tuesday 14 July.
We strongly recommend users to patch their affected Windows DNS Servers in order to prevent the exploitation of this vulnerability. We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.
For the full details of our investigation into this vulnerability, visit our research blog at https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/
Check Point IPS blade provides protection against this threat:
“Microsoft Windows DNS Server SIG Record Parsing Buffer Overflow”
“Check Point SandBlast Agent E83.11 also protects against this threat”