Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially “wormable” vulnerability—meaning an attack can spread from one machine to another with no human interaction—has appeared in Microsoft’s implementation of the domain name system protocol, one of the fundamental building blocks of the internet.
As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company’s researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years.
Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry-standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.
On top of all of that, says Check Point’s head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. “It requires no interaction. And not only that, once you’re inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy,” says Omri Herscovici. “It’s basically game over.”
Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that’s part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they’re not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)
For the remote, no-interaction version of the attack that Check Point’s Herscovici describes, the target DNS server would have to be exposed directly to the internet, which is rare in most networks; administrators generally run Windows DNS on servers that they keep behind a firewall. But Herscovici points out that if a hacker can get access to the local network by accessing the corporate Wi-Fi or plugging a computer into the corporate LAN, they can trigger the same DNS server takeover. And it may also be possible to exploit the vulnerability with just a link in a phishing email: Trick a target into clicking that link and their browser will initiate the same key exchange on the DNS server that gives the hacker full control of it.
Check Point only demonstrated that it could crash a target DNS server with that phishing trick, not hijack it. But Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it’s likely that the phishing trick could be finessed to allow a full takeover of the target DNS server in the vast majority of networks that don’t block outbound traffic on their firewalls. “With some careful crafting, you could probably target DNS servers that are behind a firewall,” Williams says.
While many large organizations use the BIND implementation of DNS that runs on Linux servers, smaller organizations commonly run Windows DNS, says Williams, so thousands of IT administrators will likely need to rush to patch the SigRed bug. And because the SigRed vulnerability has existed in Windows DNS since 2003, practically every version of the software has been vulnerable.
While those organizations rarely expose their Windows DNS servers to the internet, both Check Point and Williams warn that many administrators have made architectural changes to networks—often questionable ones—to better allow employees to work from home since the beginning of the Covid-19 pandemic. That could mean more exposed Windows DNS servers that are open to full remote exploitation. “The threat landscape of internet-exposed things has risen dramatically” in recent months, Williams says.
The good news, Check Point says, is that detecting SigRed exploitation of a Windows DNS server is relatively easy, given the noisy communications necessary to trigger the vulnerability. The firm says that despite the 17 years that SigRed has lingered in Windows DNS, it has yet to find any indication of an attack on its clients’ networks so far. “We’re not aware of anyone using this, but if they did, hopefully now it will stop,” Herscovici says. But in the short term at least, Microsoft’s patch could also lead to more exploitation of the bug as hackers reverse engineer the patch to discover exactly how the vulnerability can be triggered.
How Serious Is This?
Check Point’s Herscovici argues that the SigRed bug should be taken as seriously as the flaws exploited by older Windows hacking techniques like EternalBlue and BlueKeep. Both of those Windows exploitation methods raised alarms because of their potential to spread from machine to machine over the internet. While BlueKeep never resulted in a worm or any mass hacking incidents beyond some cryptocurrency mining, EternalBlue was integrated into both the WannaCry and NotPetya worms that rampaged across global networks in the spring and summer of 2017, becoming the two most damaging computer worms in history. “I would compare this to BlueKeep or EternalBlue,” says Herscovici. “If this vulnerability were to be exploited, we might get a new WannaCry.”
But Rendition Infosec’s Williams argues that the SigRed bug is more likely to be exploited in targeted attacks. Most SigRed techniques likely won’t be very reliable, given that a Windows mitigation called “control flow guard” may sometimes cause machines to crash rather than being hijacked, Williams says. And fully exposed Windows DNS servers are relatively rare, so the population of machines vulnerable to a worm isn’t comparable to BlueKeep or EternalBlue. The phishing technique to exploit SigRed doesn’t lend itself to a worm nearly as well, since it would require users to click a link.
SigRed could, however, serve as a powerful tool for more discriminating hackers. And that means Windows administrators should rush to patch it immediately. “Technically, it’s wormable, but I don’t think there will be a worm based on the mechanics of this,” Williams says. “But there’s no question in my mind that well-funded adversaries will make an exploit for it.”