‘SIGRed’, a 17-year old flaw in Windows Server, has been discovered by Check Point researcher Sagi Tzadik. If this vulnerability is exploited by an attacker, it will grant them Domain Administrator rights and full access to the entire corporate network.
The vulnerability affects Windows Server versions 2003-2019. All of these servers with the DNS role need to have Windows updates applied immediately, or if that is not possible, the workaround suggested by Microsoft applied and the DNS server restarted.
SIGRed has been described as ‘wormable’, meaning that no user interaction is required to exploit it. This means that botnets, ransomware, and other malicious software can use the vulnerability to infiltrate a corporate network, and it is only a matter of time before an exploit is developed and malware authors begin to retrofit it into their product.
If your vulnerable servers are hidden behind a firewall, a phishing email can still be used to smuggle the exploit into your network. It is more important than ever that you and your co-workers do not click on any links or open any attachments you receive in unsolicited email. Hacked websites may also soon be serving exploits for this vulnerability to their unwitting visitors, so be sure to patch your DNS servers as soon as possible.
Technical details about the vulnerability are published here: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/
