Critical DNS Flaw Exposes Windows Computers to Hacking

The security updates released by Microsoft Oct. 10 fix a critical vulnerability in the Windows DNS client that could allow attackers to compromise computers on local networks without user interaction.

The vulnerability, tracked as CVE-2017-11779, affects all Windows versions starting with Windows 8 and Server 2012. It stems from the way the Windows DNS client library—DNSAPI.dll—handles responses from DNS servers; in particular, the NSEC3 record that’s part of the DNSSEC protocol.

Attackers can exploit the vulnerability if they are able to control or masquerade as the primary DNS resolver used by computers and can send malformed NSEC3 records to them. Successful exploitation can result in remote code execution in the context of the local system account, leading to a complete compromise.

“This means that if an attacker controls your DNS server (e.g., through a man-in-the-middle attack or a malicious coffee-shop hotspot), they can gain access to your system,” said Nick Freeman, a consultant with security firm Bishop Fox who found the vulnerability, in a blog post. “This doesn’t only affect web browsers—your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.”

A limiting factor for this vulnerability is that it cannot be exploited from a DNS server higher up in the resolution chain because recursive resolvers will drop the corrupted NSEC3 response before it reaches the computer. Therefore, the only way to exploit it is to control the primary DNS resolver used by the computer.

This can be done on an unprotected Wi-Fi network or through a compromised router, so it’s more likely to be exploited in a targeted attack. For example, an attacker could compromise the Wi-Fi network of a popular restaurant or coffee shop in a business district and hack the laptops of various employees who use the network and then wait for them to take their computers back to their corporate networks.

“New functionality always brings new vulnerabilities, and the introduction of DNSSEC to Windows was no exception,” Freeman said. “The last mile (between your computer and its DNS resolver) will remain a weak point in DNS, so consider the use of a Virtual Private network (VPN) or using your phone as a personal hotspot to reduce the likelihood of an attacker interfering with your DNS traffic.”

The Bishop Fox researchers posted a video with more details about the vulnerability’s impact.

Microsoft Fixes 28 Critical Flaws in Windows, Office, Internet Explorer

During this most recent Patch Tuesday, Microsoft fixed 62 vulnerabilities in Windows, Office, Internet Explorer and Edge. Thirty-three of these vulnerabilities can result in remote code execution and 28 of them are rated critical.

“Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as ‘Important’ [and] is actively being exploited in the wild,” said Jimmy Graham, director of product management at Qualys.

As far as Windows is concerned, remote code execution flaws have been patched in NetBIOS, SMBv1, the Windows Shell, Windows Search and the Scripting Engine. Security bypasses have been fixed in the Device Guard code integrity protection mechanism and the integrity-level check in Windows Storage.

The company has also issued an advisory for a security issue in Trusted Platform Module (TPM) chips made by Infineon that could result in weaker cryptographic keys. TPMs are used for important enterprise security features in Windows, such as BitLocker disk encryption and biometric authentication. Users should obtain TPM firmware updates from their computer vendors to address this flaw.

1 Million-Plus Internet Exposed Routers Affected by Dnsmasq Flaws

Security researchers have found more than 1 million SOHO routers and other networking devices that are affected by critical vulnerabilities patched recently in dnsmasq.

Last week, security researchers from Google announced they found and reported critical vulnerabilities in the dnsmasq software package, which is used on Linux, BSD and macOS systems to provide services such as DNS and DHCP for networks. The flaws were fixed in dnsmasq 2.78, released Oct. 2 and Linux distribution maintainers released updated packages.

However, there are many routers and other networking devices out there that use Linux-based firmware but are unlikely to receive patches in a timely manner. Moreover, even if firmware updates do become available, users rarely update their routers because it usually requires a manual process.

Security researchers from Trend Micro used the Censys.io and Shodan search engines to look for routers, cable modems and other networking devices that run the community-built OpenWRT, DD-WRT and Tomato firmware and to determine how many of them are running a vulnerable dnsmasq version. They identified more than 1.1 million devices that had dnsmasq running and had port 53 (DNS) opened to the internet. They were able to download Shodan data on a sample of 754,458 of those devices and determined that more than 99 percent of them were running a vulnerable dnsmasq version.

Fortunately, even though they are theoretically vulnerable, not all of these devices can be exploited directly because the vulnerabilities require special conditions such as IPv6 being enabled or the attacker being in control of an upstream DNS server. Some of these limitations can be solved by attackers by tricking users behind vulnerable routers to click on a URL under a domain they control—so they can serve a DNS response for it—or by exploiting a different vulnerability that allows changing the router’s DNS settings. However, such techniques don’t scale very well.

This research, however, shows the poor state of patching in routers at a time when attackers are actively compromising such devices to build botnets capable of launching crippling distributed denial-of-service attacks. It will only take a critical flaw in a widely used remotely accessible component for millions of routers to be at risk.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 28 posts and counting.See all posts by lucian-constantin