SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high.
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
ATTACK WORK FLOW:
1. Attacker sends Phishing email with a malicious link to users.
2. User opens the email and clicking on malicious link.
3. This sends a DNS query to attacker’s internal DNS server
4. DNS server then sends a query to malicious server; it causes a RAM buffer overflow. This allows attackers to hijack the execution flow and causing to execute unintended instruction and there by gaining control to the kernel within the windows DNS server
How to Fix the SIGRed Vulnerability:
- Patching the SIGRed Vulnerability-The best way to remediate the SIGRed vulnerability is by patching immediately, using the patches released by Microsoft. Click here
|Note: No user action is required if you have auto updates enabled.|
- If applying a patch to the vulnerable servers is not an immediate option, there is a workaround solution available. To mitigate the risk from SIGRed, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
Value = 0xFF00
|Note: You must restart the DNS Service for the registry change to take effect.|
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)
To remove the workaround:
After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before
Security update released for critical DNS vulnerability (CVE-2020-1350)