Contact us
< Back to Blog

What is the SIGRed Vulnerability (CVE-2020-1350) and How to Fix it

Yonatan Amitay
 | Jul 15, 2020
 | Vulcan Cyber security researcher

What is the SIGRed Vulnerability (CVE-2020-1350)?

SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high. 

Microsoft have just released a patch for the SIGRed vulnerability (CVE-2020-1350) that affects Windows Server versions from 2003 to 2019. 

The Windows DNS Server is an essential part of the Windows Domain environment and runs the DNS queries on Windows Server. 

Breaking Down SIGRed: 

Researchers found a Heap-Based Integer Overflow “dns.exe!SigWireRead,” with the function that parses the SIG queries. 

SIG “Signature record” is a DNS record type used in (RFC 2931) and TKEY (RFC 2930), from RFC 3755, RRSIG is designated as a replacement for SIG to use with DNSSEC. 

According to GBHackers, “by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”

See explainer video:

This vulnerability can be exploited remotely through HTTP payload, by “sending it to the target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query.” 

How to Fix the SIGRed Vulnerability

Patching the SIGRed Vulnerability 

The best way to remediate the SIGRed vulnerability is by patching immediately, using the patches released by Microsoft  

Note: No user action is required if you have auto updates enabled.

Workaround

If applying a patch to the vulnerable servers is not an immediate option, there is a workaround solution available. To mitigate the risk from SIGRedmake the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters 

TcpReceivePacketSize 

Value = 0xFF00 

Note: You must restart the DNS Service for the registry change to take effect. 

  • The Default (also max) Value = 0xFFFF 
  • The Recommended Value = 0xFF00 (255 bytes less than the max) 

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes. 

Sources: 

About the Author

Yonatan Amitay

Yonatan is a member of the Vulcan Cyber research team working to put more intelligence into remediation. He is perfectly suited for the job with experience as a full stack developer, Python developer, and as a cyber security infrastructure engineer.

Popular Posts

3 Ways Vulnerability Remediation Intelligence Increases Security and Efficiency

Read More >

A Closer Look at Vulnerability Disclosure Policies

Read More >

A History of Vulnerability Management

Read More >
< Back to Blog
Did you find this interesting? Share it with others:

Be a Fixer