by Bhabesh Raj Rai, Associate Security Analytics Engineer, LogPoint

For July’s Patch Tuesday, Microsoft has released a total of 123 fixes. Among them, 18 are critical and impact Windows Server and Office products. None of the bugs listed on the advisory are being exploited in the wild at the time of release.

The highlight of this Patch Tuesday is a critical DNS Remote Code Execution vulnerability CVE-2020-1350 carrying a CVSSv3 score of 10. What makes this bug even more dangerous is that the vulnerability is wormable, which means it can spread from endpoint to endpoint without any user interaction. Note that the vulnerability only affects Microsoft’s Windows DNS server implementation, so the Windows DNS client is not affected. 

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. An attacker who successfully exploits the vulnerability could run arbitrary code in the Local System Account context. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. 

Checkpoint researchers triggered the vulnerability by making the victim DNS server query for a SIG record and answering it with a SIG response with a lengthy signature of more than 64KB. Researchers also found that browsers can trigger the vulnerability, which they named SIGRED, by smuggling a DNS query in an HTTP request as part of the POST data. However, the vulnerability can only be exploited via browsers that accept HTTP requests over port 53, including Internet Explorer and Microsoft Edge versions that are not using Chromium.

Detection using LogPoint

DNS SIG query type is very rare across many networks. If you don’t have any Network Security Monitoring (NSM) tools like Zeek (Bro) installed to monitor east-west traffic, then analytical DNS logs, particularly QUERY_RECEIVED (Event ID 256) and RESPONSE_SUCCESS (Event ID 257), from the DNS Server can be used to detect rare DNS SIG query type.

The following query will detect all the exploitation attempts for CVE-2020-5902.

norm_id=WinServer event_source=Microsoft-Windows-DNSServer event_id=256 request_code=24

Zeek logs can also monitor DNS traffic.

norm_id=BroIDS label=DNS query_type_number=24

If you have integrated your AD environment with Cisco Umbrella, you can query the Umbrella.

norm_id=CiscoUmbrella event_category=DNS query_type="24 *"

In DNS servers, we can monitor suspicious process creations by dns.exe by using Windows event logs for detecting possible successful exploitation.

norm_id=WinServer label="Process" label=Create parent_process="*\dns.exe" -"process" IN ["*\dnscmd.exe", "*\werfault.exe", "*\conhost.exe"]

Rapid7 Labs has detected a significant increase in internet-wide DNS version scans from both benign and non-benign sources after the advisory was released. It is highly likely that adversaries will try to weaponize this exploit soon.

Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if immediate patching is not possible, Microsoft also suggests a registry edit that limits the size of TCP packets the server will process.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

After applying the patch, administrators can revert the registry change done for the workaround. Usually, Windows DNS servers are also Domain Controllers, so it is highly advised to apply the patch as soon as possible.