SIGRed Overview

This threat report is regarding a critical common vulnerability and exposure (CVE) for Windows DNS services disclosed in the most recent updates provided by Microsoft on 7/14/2020. The vulnerability is dubbed CVE-2020-1350 and is commonly referred to as SIGRed.

This vulnerability:

  • Allows for remote code execution
  • Has proof-of-concept (POC) exploits available on the internet
  • Affects all versions of Windows Server from 2003 to 2019

The vulnerability is recognized as “wormable,” giving it the potential for similar impact as the EternalBlue and BlueKeep vulnerabilities.

Microsoft and Avertium, as well as other sources, strongly urge recent updates to be applied to mitigate these vulnerabilities.

SIGRed Tactics, Techniques, and Procedures

CVE-2020-1350, or SIGRed, was originally discovered by Check Point Research and affects the “dns.exe” module of Microsoft DNS services.

Because the DNS service runs as the SYSTEM user, exploitation of this vulnerability may lead to a malicious actor gaining Domain Administrator rights.

To exploit this vulnerability, an attacker must send a specially crafted DNS response to the vulnerable server. An attacker can do this by configuring NS records toward a malicious DNS server in their control. A DNS response with a SIG record over 64 KB, creates an integer overflow on the vulnerable server, which results in a heap-based buffer overflow. This results in a crash or the potential to run unauthorized code.

Due to size limits for DNS over the UDP protocol, an attacker must instead send this over TCP.

Check Point Research notes that an attacker must have access to the target's internal network or indirectly create a DNS request from inside. One vector an attacker may use to do this is an internal user visiting their site hosting malicious JavaScript (or similar) code. The code would initiate a DNS query within an HTTP POST request through the victim’s browser to port 53 of
the server. Chromium-based browsers like Google Chrome and Mozilla Firefox are not vulnerable to this attack vector.

What SIGRed Means to You

  • May lead to a malicious actor gaining Domain Administrator privileges, resulting in complete control over your network and compromise of systems.
  • Devastating financial impact as a result of system compromise and disaster recovery/incident response efforts.

What You Can Do About CVE-2020-1350

We recommend applying the below patches within your environment as soon as possible. If patches are unable to be applied for CVE-2020-1350, Microsoft has provided a current workaround as well.

Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1350#ID0EGB

Workaround

If patches are unable to be applied, setting the below registry key value provided by Microsoft will prevent DNS over TCP size to 65280 (0xFF00).

Subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
DWORD: TcpReceivePacketSize
Value: 0xFF00

Sources

Supporting Documentation

MITRE Mapping(s)

Denial of Service POC

https://packetstormsecurity.com/files/158484/SIGRed-Windows-DNS-Denial-Of-Service.html

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

msp siem

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!


 
Chat With One of Our Experts



Threat Report vulnerability management CVE-2020-1350 SIGRed Blog