(This article’s a bit late as I was on vacation last week, so if you’ve already patched your Windows Server with the bug fixes released on July 14th to protect it against CVE-2020-1350, great. If not, get crackin’!)
A 17 year-old vulnerability is finally being patched by Microsoft and you should take note.
SIGRed (or CVE-2020-1350) is a worm-able, critical vulnerability that’s got a Common Vunerability Scoring System rating (CVSS) of 10, meaning “High Severity”. The CVSS only goes up to 10, so this thing is pretty gnarly.
If exploited successfully, SIGRed grants an attacker Domain Administrator rights and compromises the entire corporate infrastructure.
SIGRed affects Windows Server versions 2003 to 2019. This video by Check Point Research shows how easy it is for SIGRed to be implemented via a link in a malicious email:
I’m not going to pretend that I understand even a fraction of what’s going on here, I’m only a humble marketing monkey, but the blog article posted by Check Point (which you can read here: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/) is very, very in-depth.
Should you be worried?
Yeah, I mean, it’s got a 10 on the CVSS scale. Check Point Research only found the vulnerability in May and Microsoft responded quickly in issuing the CVE and patching it (relatively speaking).
Check Point also acknowledges there are no known workin exploits. If you watch the video above the only thing that happens is the target’s DNS servers crash. However, there is potential for SIGRed to be come a very, very nasty exploit if left unchecked.
Considering how hesitant people are to patch their Windows Domain environments/Domain Controllers, we can see SIGRed becoming a real pain in the “you-know-what.”
What can you do?
Patch your Domain environments. Use this link if you need help in finding the appropriate patch. Otherwise, Check Point says there is a work around until you’re able to implement the patch.
They say if you set the maximum length of a DNS message (over TCP) to 0xFF00 you should be able to nip SIGRed in the butt with out patching via the following command:
reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS
Hope that helps.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.