Security
researchers at Check Point discovered a critical security flaw in
Microsoft DNS servers. The flaw allows remote code execution attacks
which leads to the total compromise of the server. The DNS server role
is often bundled in Enterprise Domain Controllers in corporate
environments. Hence, the exploitation allows an unauthenticated, remote
attacker to gain domain administrator privileges and seize complete
control of an organization's IT infrastructure. The flaw is named
'SigRed' by Check Point and assigned the CVE-2020-1350 with a CVSS base
score of 10. The flaw is wormable, meaning a single exploit of the issue
can trigger a chain reaction that allows attacks to spread from one
computer to another.
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Reference:
[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
[2] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
0 comments:
Post a Comment