SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high.
Microsoft have just released a patch for the SIGRed vulnerability (CVE-2020-1350) that affects Windows Server versions from 2003 to 2019.
The Windows DNS Server is an essential part of the Windows Domain environment and runs the DNS queries on Windows Server.
Breaking Down SIGRed:
Researchers found a Heap-Based Integer Overflow “dns.exe!SigWireRead,” with the function that parses the SIG queries.
SIG “Signature record” is a DNS record type used in (RFC 2931) and TKEY (RFC 2930), from RFC 3755, RRSIG is designated as a replacement for SIG to use with DNSSEC.
According to GBHackers, “by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”
See explainer video:
This vulnerability can be exploited remotely through HTTP payload, by “sending it to the target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query.”
How to fix the SIGRed vulnerability
Patching the SIGRed Vulnerability
The best way to remediate the SIGRed vulnerability is by patching immediately, using the patches released by Microsoft.
Note: No user action is required if you have auto updates enabled.
Workaround
If applying a patch to the vulnerable servers is not an immediate option, there is a workaround solution available. To mitigate the risk from SIGRed, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters TcpReceivePacketSize Value = 0xFF00 |
Note: You must restart the DNS Service for the registry change to take effect.
- The Default (also max) Value = 0xFFFF
- The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Sources:
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
- https://gbhackers.com/windows-dns-server/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/