Microsoft regularly releases software updates – or ‘patches’ – for vulnerabilities its developers and members of the public discover on what has become known as ‘Patch Tuesday’. Recently, Microsoft released a patch for a vulnerability with a rather wonderful classification: ‘wormable’. A wormable flaw has “the potential to spread via malware between vulnerable computers without user interaction.”
While a ‘wormable’ vulnerability may well qualify as blog-worthy purely because of its name, this particular issue did harbor the potential to cause some serious harm. Why? Because it affected Windows DNS Server – the Domain Name System (DNS) acts as a phone book of the internet and is a core networking component. Below, one of our analysts delves into the Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server.
While this was a critical vulnerability, it should not affect the average consumer. Most consumers use preconfigured routers that do not require any manual DNS set-up. Very few are going to go through the effort of setting up an Active Directory (AD authenticates and authorizes all users and computers in a network) domain for their home.
According to Microsoft, the issue affects all implementations of DNS server that they have produced since 2003, and it is centred around how their DNS server handles queries over a certain size. It could allow an attacker to execute code at the highest level of rights on a DNS server. Because DNS is used to look up AD resources, it is a critical part of Active Directory operations. By default, when you set up a domain controller, Microsoft’s DNS implementation is installed. Unless an organization has actively excluded Microsoft’s DNS from their environment, they could be vulnerable to this attack.
The good news is that Microsoft released a fix that is a simple registry change and only requires a restart of the DNS service, with the full patch available for all currently supported operating systems: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability. The patch for supported systems can be installed via normal Microsoft patching channels, and every organization should ensure this change is deployed as quickly as possible. The registry change should not break any processes, as large DNS queries (which are at the core of this vulnerability) are rare.
Now on to the interesting part – how could this vulnerability be exploited? Given that this attack requires direct communications with a DNS server, any attack will require access to the target network. This could be achieved via a previous exploit, a VPN, Wi-Fi connection or wired access. The most serious of these is the previous exploit category. Often attackers must wait for an opportunity to gather credentials once a foothold is established via phishing. With this vulnerability, an attacker can issue DNS commands from any computer that is compromised and can then execute elevated code on the DNS server. Once the DNS server is compromised, attackers can execute processes at the highest system level. When AD is also present, attackers can even create new domain admin level accounts. Both of these methods bypass the need to gather credentials as attackers can simply create their own. This would significantly shorten the time they need between initial access and privilege elevation prior to beginning an all-system attack.
A less likely but also possible scenario is an attack via a computer connected to a target network – either wired or wireless. While this attack vector would require physical proximity to the network, the computer would not need domain rights, only network access. So an attacker could drop a small computer on the network, either under a desk or hidden in another piece of equipment, or crack the Wi-Fi password, and then they would have the ability to exploit this security flaw.
Want to make more sense of cyber security risks? Contact us. We offer cyber security consultancy and managed security services, and much more. We’d love to talk.