Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry-standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization.On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you’re inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It’s basically game over."
The HackCheck Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.)
Check Point only demonstrated that it could crash a target DNS server with that phishing trick, not hijack it. But Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it's likely that the phishing trick could be finessed to allow a full takeover of the target DNS server in the vast majority of networks that don't block outbound traffic on their firewalls. "With some careful crafting, you could probably target DNS servers that are behind a firewall," Williams says.
Who's Affected?While many large organizations use the BIND implementation of DNS that runs on Linux servers, smaller organizations commonly run Windows DNS, says Williams, so thousands of IT administrators will likely need to rush to patch the SigRed bug. And because the SigRed vulnerability has existed in Windows DNS since 2003, practically every version of the software has been vulnerable.