Enlarge /. A stock photo of the data center. I can see with my little eye some EMC Symmetrix DMX-3 or DMX-4 hard drive bays on the right and some EMC CX hard drive bays on the left. Disk arrays like this are a mainstay of traditional SANs for enterprise data centers.
Microsoft strongly advises Windows Server customers to address a vulnerability that could allow an attacker to take control of entire networks and quickly spread from computer to computer without user interaction.
The vulnerability, which the researchers who discovered it, called SigRed, is in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address that computers need to use it Find the Internet. By sending maliciously shaped queries, attackers can execute code that has domain administrator privileges and take control of an entire network from there. The vulnerability, which does not apply to client versions of Windows, was present in server versions from 2003 to 2019. SigRed is officially followed as CVE-2020-1350. Microsoft released a fix as part of this month's update Tuesday.
Both Microsoft and researchers at Check Point, the security company that discovered the vulnerability, said it is malicious, which means that it can spread from computer to computer in a way that resembles falling dominoes. Without user interaction, worms can spread quickly just because they're connected and without end users having to do anything.
If a worm's underlying vulnerability easily enables malicious code to run, exploits can be particularly harmful, as was the case with both the WannaCry and NotPetya attacks in 2016, in which networks worldwide closed and damage occurred Billions were caused.
Check Point researchers said that the effort to use SigRed was experienced hackers. While there is no evidence that the vulnerability is being actively exploited, the check point says this is likely to change. In this case, the destructive effects would be high.
In a technical analysis, Sagi Tzadik, the corporate researcher who found the vulnerability in May and privately reported Microsoft:
We believe the likelihood of this vulnerability being exploited is high since we have internally found all the basics needed to exploit this error. Due to time constraints, we have not pursued the exploitation of the bug (including chaining all exploitation primitives), but we believe that a determined attacker can exploit it. Successful exploitation of this vulnerability would have serious consequences because there are often unpatched Windows domain environments, particularly domain controllers. In addition, some Internet service providers (ISPs) may even have set up their public DNS servers as WinDNS.
In a brief description, Microsoft analysts agreed that the underlying heap-based buffer overflow was wormable. The company also rated the chances of exploitation as "more likely". Many external researchers agreed.
"If I understand the article correctly, it's actually an understatement to call it" wormable, "" Vesselin Vladimirov Bontchev, a security expert who works for the National Computer Virology Laboratory in Bulgaria, wrote on Twitter. "It is suitable for a slammer flash worm that infected the entire population of vulnerable computers on the Internet in about 10 minutes."
It is suitable for flashworms a la Slammer, which infected the entire population of vulnerable computers on the Internet in about 10 minutes.
– Vess (@VessOnSecurity), July 14, 2020
Bontchev disagreed with security researcher Marcus Hutchins, who said attackers were more likely to take advantage of SigRed to run crippling ransomware campaigns. In this scenario, attackers take control of a network's DNS server and then use it to spread malware to all connected client computers. Slammer is a reference to SQL Slammer, a 2003 worm that exploited two vulnerabilities in Microsoft SQL Server. Within 10 minutes of activation, SQL Slammer infected more than 75,000 computers, some of which were owned by Microsoft.
Companies using Windows DNS should carefully consider the risks and install the Tuesday patch as soon as possible. For those who cannot patch immediately, Microsoft has offered a stopgap that can include the articles linked above.