Warning: 17-year-old bug in Windows DNS servers can be exploited

Microsoft Windows servers can be hijacked when the critical “wormable” vulnerability gets exploited

Windows DNS servers possibly at risk

Windows DNS servers possibly at risk

Users of Microsoft Windows Servers got warned about the patching requirement due to the critical vulnerability that existed for 17 years already.[1] Researchers released their report with the notice for organizations because the exploitation of the wormable bug can lead to issues with the whole network.[2] 

The bug ranked 10.0 on the scale of the CVSS severity.[3] Sagi Tzadik, who reported the bug, states that the vulnerability is related to Microsoft Windows DNS and can affect Windows Server versions 2003 to 2019:

If exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.

The flaw is especially dangerous because it is “wormable” and can be self-propagating. These features mean that attackers can exploit the flaw and jump from one infected machine to another without any users’ knowledge. This is how computers and even systems, networks can get completely compromised.

Windows DNS vulnerability leading to arbitrary code execution

To use these flaws in their advantage, the malicious actors need to configure the domain to redirect to the malicious name of the server. Then specific DNS response with SIG record over 64kb can trigger the integer overflow in the function that is responsible for parsing the incoming responses. This induces a ”controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”

The attacker takes advantage of the DNS name compression in the DNS responses, so the buffer overflow is created using those mentioned techniques. Hackers can then freely take control of the server, manipulate emails, network traffic, disable services, steal credentials, execute arbitrary code.

Attackers can get inside an HTTP request payload and target the DNS server upon visiting the website. The critical bug can get exploited further and leak memory addresses, corrupting the metadata of a DNS resource record and trigger write-what-where[4] functions that allow launching instructions.

The severe flaw with high chances of exploitation has a temporary workaround

The report states that there are many opportunities to exploit this vulnerability, so it is recommended that users patch windows DNS Servers to mitigate these risks. Such a DNS server leak can be very serious because, in most cases, the attacker is extremely close to breaching the entire organization. Such “workable” critical flaws are not common, and there are only a few released. 

Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network.

There are some temporary workarounds to this vulnerability, so Microsoft released[5] a list of possible solutions, so particular changes can be made by the system administrator. The critical vulnerability has been in the Microsoft code for a long time, so pretty much anyone might have found the bug already before the researchers. Even though Microsoft hasn’t found any evidence of successful exploitation, if left unpatched, this 17-year-old flaw can create serious damage.[6]