icetray - Fotolia

DNS Server vulnerability tops July Patch Tuesday concerns

Microsoft warns administrators not to delay the deployment of a patch to shut down a critical bug in Windows DNS servers due to its potential to cause widespread damage.

Microsoft issued a bulletin that warned of a "wormable" bug that affects all supported Windows DNS server systems as the company delivered 123 fixes for July Patch Tuesday.

In a tweet and a blog post, the Microsoft Security Response Center urged IT workers to act quickly to prevent damage from the critical remote-code vulnerability (CVE-2020-1350) in the Windows Domain Name System (DNS) servers that could let an attacker without system credentials exploit the bug. With the successful exploit of an unpatched system, the attacker could then gain full domain administrator privileges. The vulnerability reached 10.0 in the Common Vulnerability Scoring System (CVSS), which measures the severity of software vulnerabilities. Most vulnerabilities seldom rate higher than 8.0 on the CVSS.

"Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible," Mechele Gruhn, principal security program manager for the Microsoft Security Response Center, wrote in a blog post.

Sagi Tzadik, a security researcher at Check Point Research, discovered the vulnerability, dubbed SIGRed, that only affects Microsoft's implementation of DNS, a naming system that converts domain names into internet protocol addresses. The bug affects Windows Server systems going back 17 years to Windows Server 2003. Microsoft's blog indicated the vulnerability had the potential to be a worm that could overtake other Windows Server systems that run DNS, such as domain controllers, that could put high-level domain accounts at risk and disrupt an organization.

"The fact that it's wormable means it could spread between servers pretty quickly without user interaction, so that's a bad situation," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. "If you've got a threat actor in your environment and they've gotten into one server with the DNS, they could potentially spread themselves to the rest very quickly."

Chris Goettl, director of product management and security, IvantiChris Goettl

Microsoft's instructions on the CVE for the DNS bug offered a registry setting that administrators could apply if patching the system immediately wasn't an option. The registry fix is not active until the system restarts.

July Patch Tuesday tops more than 100 fixes

Of the 123 bugs, 18 are rated critical. July Patch Tuesday marked the fifth month in a row with more than 100 unique vulnerabilities reported.

In addition to the Windows Server DNS bug, July Patch Tuesday corrected problems in the Windows client, Microsoft Edge browsers (EdgeHTML and Chromium versions), Internet Explorer, ChakraCore JavaScript engine, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Skype for Business, Visual Studio, Microsoft OneDrive, open source software (Bond open-source framework, Azure Storage Explorer and TypeScript), .NET Framework and Azure DevOps Server.

Microsoft reported one publicly disclosed vulnerability (CVE-2020-1463) rated important in the Windows SharedStream library that affects Windows 10 on the client side and Windows Server 2016 and up on the server side. To exploit this elevation-of-privilege bug, the attacker would need authenticated credentials on the system to run a specially crafted application to acquire further rights. 

In another deviation from the usual patching fare, every supported Windows OS on the client and server side received a servicing stack update this month to correct an elevation-of-privilege vulnerability (CVE-2020-1346) rated important that affects the Windows Modules Installer in all versions of Windows, including the Windows 7 and Windows 2008/2008 R2 OSes in the Extended Security Update program.

To exploit this bug, the attacker needs to run code on a victim system then run an additional application to gain higher privileges. Administrators should be aware that the servicing stack update is a separate installation from the other Microsoft updates and should be applied before the latest cumulative update, monthly rollup or security update.

All supported Windows systems on the client and server side as well as Microsoft security products, including Microsoft Security Essentials and Microsoft System Center Endpoint Protection, are susceptible to an elevation-of-privilege vulnerability (CVE-2020-1461) rated important. An attacker would need credentials to the system before they could do any damage, which is limited to file deletion.

Other significant July Patch Tuesday fixes

Microsoft released fixes for several vulnerabilities (CVE-2020-1025, CVE-2020-1147, CVE-2020-1443, CVE-2020-1444, CVE-2020-1450, CVE-2020-1451, CVE-2020-1454 and CVE-2020-1456) in SharePoint Server this month. The on-premises content management platform continues to be an attractive target for attackers, a trend that seemed to coincide with the rise of remote workers due to the coronavirus pandemic.  

Administrators will also want to prioritize a patch for a critical remote-code execution vulnerability (CVE-2020-1349) in Microsoft Outlook. The attacker could send a link that the user clicks on in the preview pane of Outlook that links to a malicious file to exploit the flaw.

Dig Deeper on IT operations and infrastructure management