The U.S Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued an order to the civil federal government agencies that are using Windows Server. They have been asked to patch a critical security vulnerability that is revealed by Microsoft Corp in 24 hours.
The vulnerability that has been discovered by the security researchers of the Checkpoint has asked the agencies to immediately patch this flaw that is named as SIGRed.
What do you need to know?
According to the reports, the CISA’s emergency directive obliges the agencies to update all their endpoints that are using the Windows Server operating systems within 24 hours. The CISA, the Cybersecurity, and Infrastructure Security Agency are still not aware of the ongoing exploitation of this vulnerability.
Even, they estimate that the underlying vulnerabilities can be immediately reverse-engineered from an openly available patch. Moreover, two recognized technical reliefs can be used in this vulnerability; they are:-
- Software update
- Registry modification
While reviewing, the security researchers didn’t found any proof-of-concept code openly accessible for the SIGRed vulnerability, which has already delayed the start of current exploitation.
This exploitation has been named as CVE-2020-1350, and this vulnerability is one of the several vulnerabilities published this month that earned a severity score of 10 out of 10 on the CVSSv3 severity scale.
NS Records to the Rescue
The NS (Name Server) record shows which DNS server has the potential for that very particular domain; this implies that it will showcase which server holds the original DNS records.
The NS record is generally in charge of determining the subdomains of all the given domain. As a domain frequently has various NS records that can show original and backup name servers for that particular domain.
So, to have the targeted Windows, the DNS Server parse replies from the ill-disposed DNS Name Server, that’s why they follow the following steps:-
- Initially, they configure the domain’s (deadbeef.fun) NS Records to show the malicious DNS Server (ns1.41414141.club).
- Next, they ask the victim Windows DNS Server for NS Records of deadbeef.fun.
- After that they confuse the victim’s DNS, as it doesn’t know the answer to this query. So, they send the question to the DNS server above it (188.8.131.52).
- The authoritative server (184.108.40.206) knows the answer and replies that the NameServer of deadbeef.fun is ns1.41414141.club.
- Here the victim Windows DNS Server processes and reserves this response.
- Then, at next time they query for a subdomain of deadbeef.fun, the target Windows DNS Server also query ns1.41414141.club for its answer, as it is the NameServer for this domain.
According to the Checkpoint report, The vulnerability that has been detected is an integer Overflow leading to Heap-Based Buffer Overflow. However, these vulnerabilities have the power to grow via malware between weak networks without user communication.
The Windows DNS Server is a central networking component, whereas this vulnerability is not currently perceived to be practiced in active attacks, so the users must apply the Windows updates to address this vulnerability as soon as possible.
If we talk about the exact exploitation strategy and key information, then Microsoft has requested Checkpoint to not disclose the key details at the moment, and in response, they asserted, “We’re determined to keep information about the exploitation primitives in sequence to provide users enough time to patch their DNS servers successfully.”
But, they discuss that their exploitation plan, as it concerns to Windows Server 2012R2, but, they do assume that this plan should refer to other versions of Windows Server as well. The security experts declared that to exploit this flaw as a full Remote Code Execution while beating the CFG, they need to find primitives that provide the following capabilities:-
- An info leak
In order to help the organization to accomplish its risk, CISA allows a diversity of cyber hygiene services, like vulnerability scanning, web application scanning, and phishing campaign assessments. They prefer cyber hygiene services for their customers, as they are capable of recognizing and inform them if they had this Windows Server vulnerability, and quickly take relevant actions against it.