recently Microsoft revealed very critical DNS vulnerability (CVSS base score of 10.0). Perhaps some one has already created a rule for it and could share it or maybe could help with creating one.
Based on analysis of CVE-2020-1350 I came to the following steps of attack:
- DNS request is sent
- DNS reply with truncation flag is received
- TCP connection via DNS 53 is setup
- DNS request sent via TCP
- DNS reply with max size 65535 and with manipulated DNS Pointer Compression 0xC0 received
- Manipulation of DNS Pointer Compression causes heap based buffer overwrite because DNS response contains a large (bigger than 64KB) SIG record
Could anyone share an idea how better to implement this rule. My current idea based on my introduction level with Suricata is the following:
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”SIGRed (CVE-2020-1350) possible exploit”; dsize:>65534")
Thank you in advance.