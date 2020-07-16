The July 2020 patch Tuesday for Windows Server has arrived. This time an important flaw has been found, so it is good to update the operating system through the latest patch available. Below is a detailed explanation by security experts.

Windows Server, the flaw discovered by Check Point

Press release: Researchers at Check Point Software Technologies have identified one security flaw in the domain name system (DNS) of Windows, the implementation of the DNS services provided by Microsoft in Windows operating systems.

This flaw would allow a hacker to make malicious DNS queries to the Windows DNS server and to obtain an arbitrary execution of the code that could lead to the violation of the entire infrastructure. The critical vulnerability, named SigRed by Check Point researchers, affects versions of Windows servers from the period 2003-2019. Microsoft has identified the security flaw and released a patch (CVE-2020-1350) which has been assigned the highest possible risk score (CVSS: 10.0).

DNS, often referred to as the “internet phone book”, is part of the global internet infrastructure that translates the most common website names, in the strings of numbers that computers need to find a particular website, or to send an email.

When you have a domain name – for example, www.checkpoint.com – you check which number that name connects to, via a DNS record. These servers are present in every organization and, if exploited, they would give a hacker domain admin privileges on the server, allowing them to intercept and manipulate users’ emails and network traffic, make services unavailable, collect user credentials and more. In this way, the hacker could gain complete control of an IT company.

On May 19, 2020, Check Point Research, Check Point’s Threat Intelligence division, responsibly communicated the results of the research to Microsoft. The company identified the security flaw and just released a patch (CVE-2020-1350) in its “Patch Tuesday” – yesterday, July 14, 2020. Microsoft has assigned the vulnerability to the highest possible risk score (CVSS: 10.0).

Microsoft describes such a vulnerability as “wormable”, which means that a single exploit can initiate a chain reaction which allows attacks to spread from one vulnerable device to another, without requiring any human interaction. This means that a single compromised machine could be a “super distributor”, allowing the attack to spread across an organization’s network within minutes of the first exploit.

The patch for the vulnerability is already available as of yesterday, July 14, 2020. Check Point strongly urges Windows users to patch their DNS servers in order to prevent exploitation of this vulnerability. The probability of this vulnerability being exploited is high, as the researchers internally found all the elements necessary to exploit this bug. This means that even a determined hacker could tap into the same resources.

“A violation of the DNS server is a very serious thing. Most of the time, it projects the attacker one step away from violating the entire company. There are very few types of vulnerabilities of this type. Every business, large or small, that uses a Microsoft infrastructure, is exposed to major security risks if left unpatched. The greatest risk would be a complete violation of the entire corporate network. This type of vulnerability has been present in the Microsoft code for more than 17 years; therefore, if we found it, it is not impossible to assume that someone else has already found it” said David Gubiani, Check Point’s SE EMEA Southern Regional Director.

“Furthermore, our findings show that no matter how safe we ​​believe we are; there are, in fact, an infinite number of problems in this area that are just waiting to be discovered. We call this vulnerability ‘SigRed’ and believe that remedying it should be a top priority. This is not just another of the many vulnerabilities: it is necessary to apply the patch now to stop another possible pandemic, but of a computer type“.

How to stay protected

Apply the patch Microsoft available – Patch Tuesday (July 14, 2020); Use a third party vendor for protect the corporate IT infrastructure; Use the following workaround to block the attack. Type in “CMD”:

reg add

“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” / v “TcpReceivePacketSize” / t REG_DWORD / d 0xFF00 / f net stop DNS && net start DNS

End of the press release: These are the advice and explanation of Check Point Software Technologies regarding the critical vulnerability addressed by Microsoft with the latest patch. For more details, we advise you to consult the Check Point blog (in English). More details on the flaw are available on the official website of the Redmond company. The versions of Windows Server to be updated are from 2003 to 2019.