This threat report is regarding a critical common vulnerability and exposure (CVE) for Windows DNS services disclosed in the most recent updates provided by Microsoft on 7/14/2020. The vulnerability is dubbed CVE-2020-1350 and is commonly referred to as SIGRed.
- Allows for remote code execution
- Has proof-of-concept (POC) exploits available on the internet
- Affects all versions of Windows Server from 2003 to 2019
The vulnerability is recognized as “wormable,” giving it the potential for similar impact as the EternalBlue and BlueKeep vulnerabilities.
Microsoft and Avertium, as well as other sources, strongly urge recent updates to be applied to mitigate these vulnerabilities.
SIGRed Tactics, Techniques, and Procedures
CVE-2020-1350, or SIGRed, was originally discovered by Check Point Research and affects the “dns.exe” module of Microsoft DNS services.
Because the DNS service runs as the SYSTEM user, exploitation of this vulnerability may lead to a malicious actor gaining Domain Administrator rights.
To exploit this vulnerability, an attacker must send a specially crafted DNS response to the vulnerable server. An attacker can do this by configuring NS records toward a malicious DNS server in their control. A DNS response with a SIG record over 64 KB, creates an integer overflow on the vulnerable server, which results in a heap-based buffer overflow. This results in a crash or the potential to run unauthorized code.
Due to size limits for DNS over the UDP protocol, an attacker must instead send this over TCP.
the server. Chromium based browsers like Google Chrome and Mozilla Firefox are not vulnerable to this attack vector.
What SIGRed Means to You
- May lead to a malicious actor gaining Domain Administrator privileges, resulting in complete control over your network and compromise of systems.
- Devastating financial impact as a result of system compromise and disaster recovery/incident response efforts.
What You Can Do About CVE-2020-1350
We recommend applying the below patches within your environment as soon as possible. If patches are unable to be applied for CVE-2020-1350, Microsoft has provided a current workaround as well.
If patches are unable to be applied, setting the below registry key value provided by Microsoft will prevent DNS over TCP size to 65280 (0xFF00).
- Execution: https://attack.mitre.org/tactics/TA0002/
- Native API: https://attack.mitre.org/techniques/T1106/
Denial of Service POC
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!