SIGRed Vulnerability (CVE-2020-1350) in Windows DNS Server

5
(1)

INTRODUCTION

SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

ATTACK WORK FLOW:

1. Attacker sends Phishing email with a malicious link to users.

2. User opens the email and clicking on malicious link.

3. This sends a DNS query to attacker’s internal DNS server

4. DNS server then sends a query to malicious server; it causes a RAM buffer overflow. This allows attackers to hijack the execution flow and causing to execute unintended instruction and there by gaining control to the kernel within the windows DNS server

How to Fix the SIGRed Vulnerability:

  • Patching the SIGRed Vulnerability-The best way to remediate the SIGRed vulnerability is by patching immediately, using the patches released by Microsoft. Click here
Note: No user action is required if you have auto updates enabled.
  • If applying a patch to the vulnerable servers is not an immediate option, there is a workaround solution available. To mitigate the risk from SIGRed, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note: You must restart the DNS Service for the registry change to take effect.

The Default (also max) Value = 0xFFFF

The Recommended Value = 0xFF00 (255 bytes less than the max)

To remove the workaround:

After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before

Security update released for critical DNS vulnerability (CVE-2020-1350)

Reference-

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350

July 2020 Security Update:  CVE-2020-1350 Vulnerability in Windows DNS (Domain Name System) Server

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *