July 14, 2020

What You Need to Know About SigRed: Windows DNS Vulnerability (CVE-2020-1350)

Two researchers at Check Point Research recently discovered a critical vulnerability in the Windows DNS server (CVE-2020-1350), also known as ‘SigRed.’ Microsoft has acknowledged this vulnerability and defined it as a wormable critical vulnerability (CVSS score 10.0). If exploited successfully, an attacker would be granted Domain Administrator rights.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install patches immediately.

“Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Microsoft said.

How It Works

SigRed takes advantage of the parsing of incoming DNS queries or the handling of forwarded queries. An attacker would set up a malicious nameserver, where domains and subdomains would be forwarded to. The exploit would then be able to trigger an integer overflow flaw that would send a response greater than 64KB. The attacker also needs to take advantage of DNS name compression with the buffer overflow to increase the size by a significant amount.

More information will be provided in the coming days by the Check Point Research team on the specifics of the vulnerability.

Who’s Affected & Mitigation

Microsoft Windows Server versions 2003 and above are affected by this exploit.

Even if a DNS Server isn’t directly connected to the internet, the researchers state that it can be successfully compromised, even through browsers.

SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers’ support for connection reuse and query pipelining features to “smuggle” a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control (TheHackerNews).

A patch will shortly be released shortly by Microsoft, but in the meantime, a work around is provided that shortens the length of the allowed DNS packet size.

Workaround:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

More Resources

Tag(s): Security Alerts , Blog , Microsoft Security , CVE

Amanda Berlin

Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...