SigRed Windows DNS RCE Vulnerability
A buffer overflow vulnerability affecting Windows DNS Server called SigRed has been announced by researchers. It could be exploited on vulnerable Windows Server systems to execute arbitrary commands or propagate across affected networks.
Summary
A buffer overflow vulnerability affecting Windows DNS Server called SigRed has been announced by researchers. It could be exploited on vulnerable Windows Server systems to execute arbitrary commands or propagate across affected networks.
Affected platforms
The following platforms are known to be affected:
Threat details
Vulnerability
Security researchers have released details of a remote code execution (RCE) vulnerability, known as SigRed, affecting Microsoft's Windows Domain Name System (DNS) Server. They claim that a remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code.
The vulnerability appears to be the result of the Windows DNS Server incorrectly parsing incoming TCP-based queries or outgoing responses to forwarded TCP queries, which causes the server to assign more than the maximum permitted memory to any response. This leads to an initial integer overflow, which then results in a much smaller amount of memory being allocated, which causes a heap-based buffer overflow. A user can exploit SigRed by sending specially crafted TCP packets to a vulnerable Windows DNS Server.
Network Propagation
As Windows DNS Server runs using a privileged local system account, and is required for any Windows Domain, exploitation of SigRed can allow an attacker full access to the affected network without user interaction. As such, SigRed can be classed as a 'wormable' vulnerability.
Active Directory & Windows DNS
Please note that Microsoft's Active Directory (AD) uses Windows DNS for a number of components including domain controller location, DNS naming, and Active Directory Domain Services (AD DS); and is installed by default with all Active Directory instances.
If your organisation uses Active Directory in any manner it is highly likely that Windows DNS will be operating in some capacity on your estate.
Threat updates
| Date | Update |
|---|---|
| 16 Jul 2020 |
Proof-of-concept exploits discovered
A number of proof-of-concept exploits for SigRed have been discovered on the GitHub code repository. Whilst it seems that several of these are not fully functional, it is highly likely that weaponised exploits begin appearing in the coming days. |
Remediation advice
Microsoft released an update to address SigRed as part of their standard monthly security releases. Affected organisations are encouraged to apply this update immediately.
Organisations that cannot apply the update should consider Microsoft's recommendation to limit the maximum incoming TCP packet size using the following registry modification:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
Please note that this modification should be considered only as a temporary measure. Organisations should also be aware that the actual value to be input is FF00, with the 0x prefix Microsoft's standard notation for signifying hexadecimal values.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Apply the necessary updates. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 |
| Action |
If unable to apply the updates, apply the given mitigations. https://support.microsoft.com/en-gb/help/4569509/windows-dns-server-remote-code-execution-vulnerability |
Definitive source of threat updates
- https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
- https://blog.checkpoint.com/2020/07/14/sigred-this-is-not-just-another-vulnerability-patch-now-to-stop-the-next-cyber-pandemic/
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/
Last edited: 24 August 2020 10:39 am