CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability

CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability

An attacker can exploit this vulnerability by sending a DNS query to an affected DNS server. If the server is running a vulnerable version of the DNS software and receives the query, it can respond with a maliciously-crafted DNS response that may allow an attacker to take control of an affected system. An attacker can host a specially-crafted DNS response that will attempt to exploit the vulnerability. The DNS response will be sent to a DNS server that may be running an affected version of the DNS software. If the DNS server is vulnerable, it may allow the attacker to perform a DNS poisoning attack. For more information about DNS server vulnerabilities, please see: http://www.symantec.com/focus/ DNS server vulnerabilities are a common occurrence, with new vulnerabilities discovered on a regular basis. A DNS server may be configured to forward DNS queries to another DNS server. This allows for redundancy in DNS traffic. If an attacker is able to compromise the second DNS server and is able to send a DNS response, this will appear to be a legitimate DNS response. An attacker can then send the second DNS server a DNS query and wait for the server to respond with the malicious DNS response. An attacker can then use the DNS response to perform a DNS redirection attack. A DNS redirection attack occurs when an attacker uses DNS to change the URL of a website or email server.

How to determine if DNS is vulnerable to DNS Poisoning

Identify the DNS server name
DNS servers are generally identified by their hostnames. Most DNS servers use a default hostname of “ns1.” If a DNS server is running on ns1, then it would be vulnerable to this attack. To determine what DNS server is running on your system, open a command prompt and enter the ipconfig /all command. Ensure that the "DNS Servers" line contains an IP address in the following format: 172.16.0.2
Look for any listed IP addresses in the "Alternate DNS Servers" section that match with your system's IPv4 address
If you see multiple IP addresses listed below or if there are no such entries, then your system is not running on 172.16.0.2

DNS root zone trusted by all servers

The root zone, also known as the DNS root zone or top-level domain (TLD) is a zone at the top of the DNS hierarchy and is trusted by all servers. The DNS root zone contains all information needed to construct a query that will be sent to any DNS server in the world.
An attacker can exploit this vulnerability by sending a maliciously-crafted request for an A record to the DNS root zone. If successful, an attacker may gain access to a victim’s system. An attacker can send spoofed queries for the following types of records: CNAME, MX, NS, PTR, TXT, SRV, AAAA and more. If successful, an attacker may be able to take control of systems hosting vulnerable software.

DNS Server Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the DNS server. An attacker can exploit this vulnerability by sending a DNS query to an affected DNS server. If the server is running a vulnerable version of the DNS software and receives the query, it can respond with a maliciously-crafted DNS response that may allow an attacker to take control of an affected system. An attacker can host a specially-crafted DNS response that will attempt to exploit the vulnerability. The DNS response will be sent to a DNS server that may be running an affected version of the DNS software. If the DNS server is vulnerable, it may allow the attacker to perform a DNS poisoning attack. For more information about DNS server vulnerabilities, please see: http://www.symantec.com/focus/DNS_server_vulnerabilities

DNS Server Software:

The most common software used to run DNS servers.
DNS servers are typically configured to forward DNS queries to another server. This allows for redundancy in DNS traffic. If an attacker is able to compromise the second DNS server and is able to send a DNS response, this will appear to be a legitimate DNS response. An attacker can then send the second DNS server a DNS query and wait for the server to respond with the malicious DNS response. An attacker can then use the malicious DNS response to perform a domain name system redirection attack (DNS redirection attack). A domain name system redirection attack occurs when an attacker uses DNS to change the URL of a website or email server.

DNS query explanation

A DNS query is sent by a computer to the local DNS server when the user types in a domain name into a browser. The DNS server will then return the IP address associated with that domain. The remote DNS server will also receive these queries. If an attacker has compromised one or more of the DNS servers, they will be able to send malicious queries to these servers and take control of these computers.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe