This threat report is regarding a critical common vulnerability and exposure (CVE) for Windows DNS services disclosed in the most recent updates provided by Microsoft on 7/14/2020. The vulnerability is dubbed CVE-2020-1350 and is commonly referred to as SIGRed.
This vulnerability:
The vulnerability is recognized as “wormable,” giving it the potential for similar impact as the EternalBlue and BlueKeep vulnerabilities.
Microsoft and Avertium, as well as other sources, strongly urge recent updates to be applied to mitigate these vulnerabilities.
CVE-2020-1350, or SIGRed, was originally discovered by Check Point Research and affects the “dns.exe” module of Microsoft DNS services.
Because the DNS service runs as the SYSTEM user, exploitation of this vulnerability may lead to a malicious actor gaining Domain Administrator rights.
To exploit this vulnerability, an attacker must send a specially crafted DNS response to the vulnerable server. An attacker can do this by configuring NS records toward a malicious DNS server in their control. A DNS response with a SIG record over 64 KB, creates an integer overflow on the vulnerable server, which results in a heap-based buffer overflow. This results in a crash or the potential to run unauthorized code.
Due to size limits for DNS over the UDP protocol, an attacker must instead send this over TCP.
Check Point Research notes that an attacker must have access to the target's internal network or indirectly create a DNS request from inside. One vector an attacker may use to do this is an internal user visiting their site hosting malicious JavaScript (or similar) code. The code would initiate a DNS query within an HTTP POST request through the victim’s browser to port 53 of
the server. Chromium-based browsers like Google Chrome and Mozilla Firefox are not vulnerable to this attack vector.
We recommend applying the below patches within your environment as soon as possible. If patches are unable to be applied for CVE-2020-1350, Microsoft has provided a current workaround as well.
Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1350#ID0EGB
If patches are unable to be applied, setting the below registry key value provided by Microsoft will prevent DNS over TCP size to 65280 (0xFF00).
Subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
DWORD: TcpReceivePacketSize
Value: 0xFF00
MITRE Mapping(s)
Denial of Service POC
https://packetstormsecurity.com/files/158484/SIGRed-Windows-DNS-Denial-Of-Service.html
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!