- Windows DNS server remote code execution vulnerability permits full takeover of infected systems
- Wormable exploits can spread via malware between vulnerable computers without user interaction
- SIGRed vulnerability impacts nearly all versions of DNS in Windows Server dating back over 17 years
- Hypervisor Introspection (HVI) prevents zero-day code execution from suspicious memory regions
On July 14, Microsoft published Security Vulnerability CVE-2020-1350 describing a longstanding, broad-based Windows DNS server remote code execution vulnerability whereby Windows Domain Name servers fail to properly handle malformed DNS requests, allowing an attacker to corrupt memory and run arbitrary code in the context of the Local System Account. All Windows servers that are configured as DNS servers are at risk from this critical (CVSS 10) vulnerability—which Microsoft acknowledges dates back at least 17 years—putting directly at risk multiple versions of Windows Server 2008, 2012, 2016, and 2019 in widespread production worldwide.
Dubbed SIGRed, this latest vulnerability continues in the ignominious tradition of costly and devastating memory-space exploits including EternalBlue and BlueKeep, which we have written extensively about in this space. The good news is that, like its predecessors, we expect Bitdefender Hypervisor Introspection (HVI) customers to be protected by default. This a priori protection is the hallmark of Bitdefender HVI.
Hypervisor Introspection is a state-of-the-art anti-exploit technology that leverages Virtual Machine Introspection APIs built into modern hypervisors to monitor the entire memory footprint of the running VMs. This allows the technology to focus on identifying attack techniques at runtime in memory, rather than searching for previously encountered indicators such as signatures, heuristics, or machine learning patterns. Hypervisor Introspection requires no prior knowledge of the vulnerability, where or how it executes, or the specific contents of the exploit code. HVI is true, across-the-board memory protection.
HVI is designed to block code execution inside suspicious memory regions by marking them as non-executable at the Extended Page Tables (EPT) level within the virtualization memory management unit (MMU). Any memory region that is not backed by a legitimately loaded module—for example, the stack, the heap, or other dynamically allocated memory—is considered suspicious memory by HVI and any code residing in that region is prevented from executing by default.
Exploitation scenarios for SIGRed-style vulnerabilities usually involve shellcode executed from just such a suspicious memory region, a common and proven launchpad for memory corruption attacks. Examples include buffer overflows—both on the stack or the heap—and use-after-free or integer overflow, which eventually lead to out-of-bounds accesses that can hand control to an attacker. Techniques such as ROP may be also employed and are usually leveraged to prepare the proper execution environment for the final shellcode, which is then stored inside a suspicious memory region, all of which is visible to HVI.
CVE-2020-1350 is a typical example of an integer overflow that creates a heap-based buffer overflow, which is then exploited to gain arbitrary code execution on the affected host. Once the exploit bypasses existing mitigations—including CFG, ASLR, and DEP—it generally runs shellcode located inside such a suspicious memory region. HVI is designed to intercept and block this execution, thus preventing successful exploitation.