What is it?
When a DNS server receives a query for a domain it isn’t responsible (authoritative) for it asks a DNS server further up the hierarchy which DNS server is, and then queries that DNS server for the record. The vulnerability exists in how the Windows DNS server parses the response it receives to a forwarded SIG query. A specially crafted response can trigger the vulnerability allowing an attacker to execute arbitrary code on the DNS server with administrative privileges.
Why is it important?
SigRed has been assigned a CVSSv3 base score of 10.0 (the highest), making it a critical vulnerability on par with previous vulnerabilities such as EternalBlue (exploited by NotPetya and WannaCry ransomware strains) and BlueKeep. It is worth noting that SigRed is not a DNS protocol vulnerability, but a vulnerability in Microsoft’s implementation of Windows DNS Server.
There are three aspects which cause SigRed’s vulnerability rating to be so high:
- The vulnerability is considered wormable
Wormable vulnerabilities are amongst the most dangerous types of vulnerabilities because it means that they have the potential to spread between vulnerable computers without any user interaction
- Windows DNS Servers are often run on Active Directory domain controllers
Domain controllers are the core of Active Directory, storing, authenticating, and authorizing user accounts and activities. Compromising a domain controller leads to the total compromise of Active Directory and this tactic has been at the heart of many major breaches. Because Windows DNS runs as the special user SYSTEM, the code executed by the attacker would run with administrative privileges causing the complete compromise of the domain controller, and thus Active Directory.
- The vulnerability is easily exploitable
An attacker does not have to be authenticated to any system to exploit this vulnerability. All that is required is for a single computer on a network to perform this query to execute the attack. DNS queries are entirely commonplace and easy to trigger – simply opening an email or visiting a webpage containing a benign image hosted by the malicious domain results in a DNS query for the malicious domain.
What Should I Do?
You should immediately apply the security updates released by Microsoft to all Windows DNS servers. Details on the patches can be found here. If you cannot apply this update immediately then you should look to apply a workaround that can mitigate the vulnerability. The workaround involves a registry key change on the DNS servers and a restart of the DNS services.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS
Microsoft has published a knowledge base article KB4569509 which provides additional detail and guidance.
Microsoft KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability