A 17-Year-Old Vulnerability Was Just Discovered in Windows Server. Here’s What You Need to Know Next
First “discovered” in July of 2020, SIGRed is a very particular type of vulnerability in the Windows DNS Server environment called an RCE, or remote code execution. This means that it can be triggered by an attacker with little more than a malicious DNS response. Believe it or not, it’s actually been around for 17 years and impacts all Microsoft O/S from Server 2003 all the way up to 2019. So, while the news of SIGRed is new, the vulnerability itself isn’t. According to warnings from both Check Point and Microsoft, SIGRed is worthy of a “10 out of 10” designation on the common vulnerability scoring system, which means that this is absolutely something you’re going to want to stop and pay attention to.
The issue here is that Windows DNS software often runs on domain controllers that set the rules for the types of networks your business is probably using. So, many of the machines connected to those networks are particularly sensitive – meaning that an attacker who gets into one via this avenue will almost certainly, be able to get into the rest of your environment in due time.
To give you a little bit of an idea of how this works, consider how easy it would be for someone in your organization to click on a phishing link or run a suspicious attachment in an email. It’s something that happens every day and more often than we’d like to see. If that particular attacker is taking advantage of SIGRed, they’d be granted network privileges almost immediately. Add this to any type of ransomware and the situation quickly escalates to catastrophic levels. From there, it can start infecting backups, network shares, other people’s computers – you name it. It’s a snowball effect in the worst possible way.
Or, an attacker could potentially pair SIGRed with something like a key logger – a tool that lets them see literally anything you type on your computer. At that point, they’re probably no longer than a full business day away from getting the passwords to all of your important accounts on top of some other hacker favorites such as your bank account or credit card information. At that point, they’ll like be able to learn all they need to know about your customers as well so that they can move onto those fresh new targets, too. The reputation damage to your business alone would be catastrophic – to say nothing of how huge the monetary damage-and liabilities- would quickly grow.
Although it may be disheartening to learn about these highly critical, surprise issues, its best to remember that there will always be these types of vulnerabilities with any long-standing platforms. What’s most important is having the support resources available that can ‘keep their ears to the ground’ to proactively identify them as they arise so they can be addressed before compromising your organization’s security posture.
Here’s What You Need to Do Next
The good news is that Microsoft has already released a patch for the SIGRed vulnerability for all impacted Windows Server versions that can be downloaded and deployed right now. In absolutely no uncertain terms, if you have a DNS server, you need this patch.
TSI’s clients will be pleased to know that we have a comprehensive methodology in place to address these types of critical vulnerabilities as they do occur from time to time. Their servers have since been patched, but if you’re not a TSI customer and haven’t heard from your IT provider or IT staff, this is something you should address ASAP.
If nothing else, let this be an invaluable lesson to all of us. Vulnerabilities are out there and they’ll always be out there because no software-notably Microsoft O/s- are perfect. Thankfully, most are discovered pretty quickly, but sometimes even major ones like SIGRed are allowed to remain out in the world for nearly two decades, just waiting to be exploited. Is this situation rare and pretty unprecedented? Absolutely. But as the old saying goes – “the only thing you don’t know is what you don’t know.”
As an MSP/MSSP, if there’s at least one security practice that every company should have, is to have- at the very least- the systems in place to make sure their software and operating systems are regularly updated with a readily available resource prepared for any unanticipated update requirements.
Developers regularly release updates and patches that do more than just tweak the graphical user interface or add new features, they also patch security loopholes and other issues that be used to take seriously compromise your organization. Once the information about those security “weak points” are out in the wild, it’s only a matter of time before it becomes a major vulnerability to be taken advantage of by someone who can easily determine if you’ve taken the appropriate steps to update and safeguard your network. Applying critical system updates as soon as you’re able to be the best way to make sure that doesn’t happen to you.
But even then… it isn’t a guarantee that your environment is 100% secure. We’ve always known this to be true, and SIGRed has been a sobering reminder of that fact.