What is the SigRed vulnerability in Windows DNS Server?

What is the SigRed vulnerability in Windows DNS Server?

What is it?

SigRed, CVE-2020-1350, is a remote code execution vulnerability in the Microsoft Windows DNS server that was publicly disclosed on July 14, 2020, by Israeli cybersecurity firm Check Point.  

When a DNS server receives a query for a domain it isn’t responsible (authoritative) for it asks a DNS server further up the hierarchy which DNS server is, and then queries that DNS server for the record. The vulnerability exists in how the Windows DNS server parses the response it receives to a forwarded SIG query. A specially crafted response can trigger the vulnerability allowing an attacker to execute arbitrary code on the DNS server with administrative privileges.

Why is it important?

SigRed has been assigned a CVSSv3 base score of 10.0 (the highest), making it a critical vulnerability on par with previous vulnerabilities such as EternalBlue (exploited by NotPetya and WannaCry ransomware strains) and BlueKeep. It is worth noting that SigRed is not a DNS protocol vulnerability, but a vulnerability in Microsoft’s implementation of Windows DNS Server.

There are three aspects which cause SigRed’s vulnerability rating to be so high:

  • The vulnerability is considered wormable

Wormable vulnerabilities are amongst the most dangerous types of vulnerabilities because it means that they have the potential to spread between vulnerable computers without any user interaction

  • Windows DNS Servers are often run on Active Directory domain controllers

Domain controllers are the core of Active Directory, storing, authenticating, and authorizing user accounts and activities. Compromising a domain controller leads to the total compromise of Active Directory and this tactic has been at the heart of many major breaches. Because Windows DNS runs as the special user SYSTEM, the code executed by the attacker would run with administrative privileges causing the complete compromise of the domain controller, and thus Active Directory.

  • The vulnerability is easily exploitable

An attacker does not have to be authenticated to any system to exploit this vulnerability. All that is required is for a single computer on a network to perform this query to execute the attack. DNS queries are entirely commonplace and easy to trigger – simply opening an email or visiting a webpage containing a benign image hosted by the malicious domain results in a DNS query for the malicious domain.

What Should I Do?

You should immediately apply the security updates released by Microsoft to all Windows DNS servers. Details on the patches can be found here. If you cannot apply this update immediately then you should look to apply a workaround that can mitigate the vulnerability. The workaround involves a registry key change on the DNS servers and a restart of the DNS services.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS

Microsoft has published a knowledge base article KB4569509 which provides additional detail and guidance.

Links

Check Point: SigRed: Resolving you way into domain admin: Exploiting a 17 year old bug in Windows DNS Servers

Microsoft Advisory CVE-2020-1350

Microsoft KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350:  https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.