Patch Tuesday Special Edition: SIGRed

by

July 21, 2020

(This article’s a bit late as I was on vacation last week, so if you’ve already patched your Windows Server with the bug fixes released on July 14th to protect it against CVE-2020-1350, great. If not, get crackin’!)

A 17 year-old vulnerability is finally being patched by Microsoft and you should take note.

SIGRed (or CVE-2020-1350) is a worm-able, critical vulnerability that’s got a Common Vunerability Scoring System rating (CVSS) of 10, meaning “High Severity”. The CVSS only goes up to 10, so this thing is pretty gnarly.

If exploited successfully, SIGRed grants an attacker Domain Administrator rights and compromises the entire corporate infrastructure.

SIGRed affects Windows Server versions 2003 to 2019. This video by Check Point Research shows how easy it is for SIGRed to be implemented via a link in a malicious email:

 

 

I’m not going to pretend that I understand even a fraction of what’s going on here, I’m only a humble marketing monkey, but the blog article posted by Check Point (which you can read here: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/) is very, very in-depth.

Should you be worried?

Yeah, I mean, it’s got a 10 on the CVSS scale. Check Point Research only found the vulnerability in May and Microsoft responded quickly in issuing the CVE and patching it (relatively speaking).

Check Point also acknowledges there are no known workin exploits. If you watch the video above the only thing that happens is the target’s DNS servers crash. However, there is potential for SIGRed to be come a very, very nasty exploit if left unchecked.

Considering how hesitant people are to patch their Windows Domain environments/Domain Controllers, we can see SIGRed becoming a real pain in the “you-know-what.”

What can you do?

Patch your Domain environments. Use this link if you need help in finding the appropriate patch. Otherwise, Check Point says there is a work around until you’re able to implement the patch.

They say if you set the maximum length of a DNS message (over TCP) to 0xFF00 you should be able to nip SIGRed in the butt with out patching via the following command:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

Hope that helps.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is the Content Manager at Integris.

Keep reading

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects? The Quick Take Managing IT projects effectively is crucial for ensuring success and maximizing ROI. Here are the best practices to follow: Define Clear Objectives and Scope: Set specific, measurable, achievable,...

What Is The Future of Managed IT Services?

What Is The Future of Managed IT Services?

What Is the Future of Managed IT Services? The Quick Take: The future of managed IT services for small and medium-sized businesses is bright, with the market expected to grow from $1.735 trillion to $2.173 trillion by 2028. Key trends driving this growth include:...

The Regulatory Outlook for 2025 and What That Means for Banking IT

The Regulatory Outlook for 2025 and What That Means for Banking IT

With a new administration coming in, 2025 promises to be a year of change. But will it significantly impact banking regulation and your bank’s cybersecurity? No one has a crystal ball, of course, but recent global outlooks for the banking industry seem to point to two...