NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: SIGRed

Sep 02, 2021

What is SIGRed? 

CVE-2020-1350, known as SIGRed, is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests.

It has been discovered by Check Point researcher Sagi Tzaik, the bug relates to Microsoft Windows DNS, the domain name system service on Windows operating systems, and Server software.

How bad is this? 

  • Active exploitation today: No evidence
  • Severity: Critical
  • authentication not required
  • remote code execution
  • results in system level privileges

This to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.

Who is affected by this? 

CVE-2020-1350 affects all Windows Server versions from 2003 to 2019.

How are they exploited? 

An attacker can craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure.

How do I protect myself? 

Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Fix has been issued as a part of the Patch Tuesday on July 14th, 2020.

NopSec strongly encourages organizations to apply these patches as soon as possible. A compromise can result in a Domain Controller eventually being compromised, which ultimately compromises your Active Directory. At this point, incident handling should be done with professional assistance.

Under what circumstances would I consider using the registry key workaround?

Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates.

Provided workaround via a Windows registry modification: 

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters

DWORD = TcpReceivePacketSize

Value = 0xFF00

In order for these changes to take effect, the DNS Service must be restarted.

Additional Resources: