It’s that time again for the monthly periodical of PatchWork! This time around, there’s not as much big news about the update cycle even with 123 bug fixes ranging anywhere from minor to critical, but there’s always enough to help your Patch Tuesday work for you.

The Big (and Old) Kid on the Block: CVE 2020-1350

The main concern for the July cycle of updates is actually an old vulnerability – seventeen years old, to be precise. CVE-2020-1350, also known as SigRed, is a vulnerability that has existed within the system code of MS Windows Server undisturbed for roughly seventeen years and has scored a 10 out of 10 on the CVSS (Common Vulnerability Scoring System).

This bug pertains to Windows DNS, particularly the way in which a Windows DNS server parses a DNS query, as well as how a forwarded DNS query is handled by the system. The team who discovered it, the Check Point research team, described it as follows:

“… by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer … If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more.“ (1)

One of the most dangerous features of this bug is that it is also “wormable,” that is, self-propagating, meaning that it requires no user interaction once it infiltrates the system at a single point, simply jumping from an infected machine to a non-infected machine and taking over a whole system given enough time.

Now, the good side to this – there is no evidence that this exploit has been used in any currently active attacks. However, considering its prolonged seventeen-year presence in such a core service as Windows DNS, it is more than likely that it has been abused at some point in its tenure, though not nearly as publicly.

Concluding Remarks

The rest of the fixes in this round of patches are not nearly as crucial as this one, but a good system administrator will be sure to check through for anything problematic before rolling out the complete package. All in all, despite so many smaller fixes being implemented, the one that really shook up the July Patch Tuesday was quite unforeseen. Be sure to practice safe computing out there, and until next time, we hope that we have helped make your Patch Tuesday, work for you.