Microsoft Corporation on Patch Tuesday addressed 123 vulnerabilities — 18 of them critical — including a “wormable” flaw in Windows DNS Service that could be leveraged to execute remote code in the context of the Local System Account and then spread malware across various network devices.
Officially designated CVE-2020-1350, the wormable flaw is caused by the improper handling of requests, and therefore can be exploited via malicious requests to a Windows servers configured as DNS servers.
“DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts,” Microsoft warns in an advisory. “The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations.”
Researchers Sagi Tzadik and Eyal Itkin from Check Point Software Technologies are credited with uncovering CVE-2020-1350. In a technical analysis, Check Point refers to the bug as SIGRed.
Users are encouraged to apply the fix immediately, but Microsoft has also identified a registry modification as a workaround if immediate patching isn’t possible.
The additional 122 vulnerabilities addressed by Microsoft this month covers a range of software and systems, including Windows; Edge (EdgeHTML-based); Edge (Chromium-based) in IE Mode; ChakraCore; Internet Explorer; Office and Office Services and Web Apps; Windows Defender; Skype for Business; Visual Studio; OneDrive; Open Source Software; .NET Framework; and Azure DevOps.
“This month marks the fifth month in a row that Microsoft has released patches for more than 110 CVEs,” reads newly released Patch Tuesday analysis from Trend Micro’s Zero Day Initiative (ZDI). “This brings the total number of Microsoft patches released this year to 742, surpassing totals for 2017 (665) and 2018 (691). At this pace, Microsoft will eclipse the number of patches in 2019 (851) next month.”
Chris Hass, former NSA security analyst and current director of information security and research at Automox, said that CVE-2020-1350 “could very well be the most critical Windows vulnerability released this year…”
Hass said the flaw’s wormable capability “adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as WannaCry and NotPetya.” He added that Automox expects that “we will see this vulnerability exploited in the wild soon.”
Check Point’s researchers agree. “We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug,” states a company research report authored by Tzadik. “Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it. Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.”