SigRed, CVE-2020-1350, is a remote code execution vulnerability in the Microsoft Windows DNS server that was publicly disclosed on July 14, 2020, by Israeli cybersecurity firm Check Point.
When a DNS server receives a query for a domain it isn’t responsible (authoritative) for it asks a DNS server further up the hierarchy which DNS server is, and then queries that DNS server for the record. The vulnerability exists in how the Windows DNS server parses the response it receives to a forwarded SIG query. A specially crafted response can trigger the vulnerability allowing an attacker to execute arbitrary code on the DNS server with administrative privileges.
SigRed has been assigned a CVSSv3 base score of 10.0 (the highest), making it a critical vulnerability on par with previous vulnerabilities such as EternalBlue (exploited by NotPetya and WannaCry ransomware strains) and BlueKeep. It is worth noting that SigRed is not a DNS protocol vulnerability, but a vulnerability in Microsoft’s implementation of Windows DNS Server.
There are three aspects which cause SigRed’s vulnerability rating to be so high:
Wormable vulnerabilities are amongst the most dangerous types of vulnerabilities because it means that they have the potential to spread between vulnerable computers without any user interaction
Domain controllers are the core of Active Directory, storing, authenticating, and authorizing user accounts and activities. Compromising a domain controller leads to the total compromise of Active Directory and this tactic has been at the heart of many major breaches. Because Windows DNS runs as the special user SYSTEM, the code executed by the attacker would run with administrative privileges causing the complete compromise of the domain controller, and thus Active Directory.
An attacker does not have to be authenticated to any system to exploit this vulnerability. All that is required is for a single computer on a network to perform this query to execute the attack. DNS queries are entirely commonplace and easy to trigger – simply opening an email or visiting a webpage containing a benign image hosted by the malicious domain results in a DNS query for the malicious domain.
You should immediately apply the security updates released by Microsoft to all Windows DNS servers. Details on the patches can be found here. If you cannot apply this update immediately then you should look to apply a workaround that can mitigate the vulnerability. The workaround involves a registry key change on the DNS servers and a restart of the DNS services.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS
Microsoft has published a knowledge base article KB4569509 which provides additional detail and guidance.
Check Point: SigRed: Resolving you way into domain admin: Exploiting a 17 year old bug in Windows DNS Servers
Microsoft Advisory CVE-2020-1350
Microsoft KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
Joe is a Security Researcher at Stealthbits – Now part of Netwrix. An expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, Joe researches new security risks, complex attack techniques, and associated mitigations and detections.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply