- WHY AVERTIUM?
-
-
Why Avertium?
Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
-
Considering Microsoft?
Avertium Named Microsoft Security Solutions PartnerAvertium’s managed services for Microsoft Security Solutions is delivered through the company’s premium service: Fusion MXDR. Fusion MXDR includes 24x7 monitoring and management of Defender for Endpoint and Sentinel, threat intelligence, attack surface
monitoring, and vulnerability management for Microsoft Security customers.
-
-
- SOLUTIONS
- COMPANY
- PARTNERS
-
-
Our Partners
Best-in-class technology from our partners... backed by service excellence from Avertium.
-
Partner Opportunity Registration
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
-
-
- NEWS & RESOURCES
- CONTACT
SIGRed Overview
This threat report is regarding a critical common vulnerability and exposure (CVE) for Windows DNS services disclosed in the most recent updates provided by Microsoft on 7/14/2020. The vulnerability is dubbed CVE-2020-1350 and is commonly referred to as SIGRed.
This vulnerability:
- Allows for remote code execution
- Has proof-of-concept (POC) exploits available on the internet
- Affects all versions of Windows Server from 2003 to 2019
The vulnerability is recognized as “wormable,” giving it the potential for similar impact as the EternalBlue and BlueKeep vulnerabilities.
Microsoft and Avertium, as well as other sources, strongly urge recent updates to be applied to mitigate these vulnerabilities.
SIGRed Tactics, Techniques, and Procedures
CVE-2020-1350, or SIGRed, was originally discovered by Check Point Research and affects the “dns.exe” module of Microsoft DNS services.
Because the DNS service runs as the SYSTEM user, exploitation of this vulnerability may lead to a malicious actor gaining Domain Administrator rights.
To exploit this vulnerability, an attacker must send a specially crafted DNS response to the vulnerable server. An attacker can do this by configuring NS records toward a malicious DNS server in their control. A DNS response with a SIG record over 64 KB, creates an integer overflow on the vulnerable server, which results in a heap-based buffer overflow. This results in a crash or the potential to run unauthorized code.
Due to size limits for DNS over the UDP protocol, an attacker must instead send this over TCP.
Check Point Research notes that an attacker must have access to the target's internal network or indirectly create a DNS request from inside. One vector an attacker may use to do this is an internal user visiting their site hosting malicious JavaScript (or similar) code. The code would initiate a DNS query within an HTTP POST request through the victim’s browser to port 53 of
the server. Chromium-based browsers like Google Chrome and Mozilla Firefox are not vulnerable to this attack vector.
What SIGRed Means to You
- May lead to a malicious actor gaining Domain Administrator privileges, resulting in complete control over your network and compromise of systems.
- Devastating financial impact as a result of system compromise and disaster recovery/incident response efforts.
What You Can Do About CVE-2020-1350
We recommend applying the below patches within your environment as soon as possible. If patches are unable to be applied for CVE-2020-1350, Microsoft has provided a current workaround as well.
Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1350#ID0EGB
Workaround
If patches are unable to be applied, setting the below registry key value provided by Microsoft will prevent DNS over TCP size to 65280 (0xFF00).
Subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
DWORD: TcpReceivePacketSize
Value: 0xFF00
Sources
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploitinga-17-year-old-bug-in-windows-dns-servers/
- https://support.microsoft.com/en-us/help/4569509/windows-dns-serverremote-code-executionvulnerability?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-GF_q8ajqNEnM8ja1_UC7ew&epi=je6NUbpObpQGF_q8ajqNEnM8ja1_UC7ew&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=(ir__lznn1jlsm0kftgrckk0sohznxm2xikyjupsta2so00)(7795)(1243925)(je6NUbpObpQGF_q8ajqNEnM8ja1_UC7ew)()&irclickid=_lznn1jlsm0kftgrckk0sohznxm2xikyjupsta2so00
Supporting Documentation
MITRE Mapping(s)
- Execution: https://attack.mitre.org/tactics/TA0002/
- Native API: https://attack.mitre.org/techniques/T1106/
Denial of Service POC
https://packetstormsecurity.com/files/158484/SIGRed-Windows-DNS-Denial-Of-Service.html
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!