15.07.2020

Windows Server DNS vulnerability “SIGRed”

A new severe vulnerability has been patched for Windows servers running the DNS Server role. CVE-2020-1350 dubbed “SIGRed” is 17 years old, affecting all Windows Server versions back to Windows Server 2003, and gets a 10 out of 10 CVSSv3 score.

Microsoft released a security guidance on the 14th of July, and a security patch for Windows Server all the way back to 2008 on the 13th of July. 


Key facts:
 

  • Identifier: CVE-2020-1350 A.K.A “SIGRed” 
  • CVSSv3 score10/10 
  • Wormable 
  • If exploited correctly, an attacker can run anything as NT AUTHORITY\SYSTEM. 
  • Patch released, requires reboot. Temp mitigation in form of a change to a registry key exists. 


How is the vulnerability exploited (in short)?
 

In short, the vulnerability involves triggering a Heap-Based buffer overflow exploiting integer with a DNS query, which in turn can be used to make the DNS server respond on queries with malformed URLs. Which, in turn, can be used to inject the payload into the targeted Windows Server running Windows DNS.

The attacker must be able to send DNS queries to the DNS server, which in most cases (hopefully), would require the attacker to have access to the victims’ LAN/ network.

  • Never expose internal DNS servers or domain controllers 

Read more details in the research article published by Check Point Research. 

 

Am I affected? 

As previously mentioned, Windows DNS on Windows Server 2003 – 2019 is affected. Patches are available all the way back to Windows Server 2008, even though mentioned Windows Server version had reached the end of life.

Windows DNS is a standalone role that must be added to a Windows Server installation. It is, however, common to install this role on domain controllers (Windows AD), so that domain members can easily query the controllers for IP addresses to other members in the directory. Thus, having the Windows DNS role on one or multiple servers in an environment is very common.

If you are running Azure Active Directory Domain Services (AADDS) with no standalone server for Windows DNS, you should be good. It’s up to Microsoft to keep AADDS patched and secure, and you can’t modify the backend Windows Servers anyways.

If you are running Windows AD on standalone Windows server(s), either on physical hardware, on a hypervisor such as Hyper-V or VMWare, or in any cloud provider such as Azure or Amazon, you are likely affected. We recommend that you consider getting your servers patched as soon as possible.

For those running Windows DNS on standalone servers; you know what to do. 

 

Mitigation 

The recommended way of mitigating this is through patching your servers. It can either be deployed with the latest cumulative update or with a standalone security-only update. Both updates will likely require a reboot.

If you, for whatever reason, cannot patch and reboot your servers any time soon, there is also temporary mitigation available. You can set a single registry value and restart the DNS server after. Make sure you revert this manual change when you patch your servers later.

 

Resources 

Microsoft: 

Security Guidance on SIGRed / CVE-2020-1350 
Windows Server release information 
Microsoft End-of-Life search 

Others: 

Check Point Research on how SIGRed can be exploited 
Bleeping Computer – 200714 – “Microsoft patches critical wormable SigRed bug in Windows DNS Server”.

 

Don't miss a single update

Subscribe to our newsletter