What is SIGRed?
CVE-2020-1350, known as SIGRed, is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests.
It has been discovered by Check Point researcher Sagi Tzaik, the bug relates to Microsoft Windows DNS, the domain name system service on Windows operating systems, and Server software.
How bad is this?
- Active exploitation today: No evidence
- Severity: Critical
- authentication not required
- remote code execution
- results in system level privileges
This to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.
Who is affected by this?
CVE-2020-1350 affects all Windows Server versions from 2003 to 2019.
How are they exploited?
An attacker can craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure.
How do I protect myself?
Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Fix has been issued as a part of the Patch Tuesday on July 14th, 2020.
NopSec strongly encourages organizations to apply these patches as soon as possible. A compromise can result in a Domain Controller eventually being compromised, which ultimately compromises your Active Directory. At this point, incident handling should be done with professional assistance.
Under what circumstances would I consider using the registry key workaround?
Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates.
Provided workaround via a Windows registry modification:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
In order for these changes to take effect, the DNS Service must be restarted.
Additional Resources:
- Microsoft Security Guidance
- Mitre
- Github
- Checkpoint Research Blog
- What You Need to Know About the Windows DNS Vulnerability – CVE-2020-1350