Patch Tuesday Special Edition: SIGRed

by

July 21, 2020

(This article’s a bit late as I was on vacation last week, so if you’ve already patched your Windows Server with the bug fixes released on July 14th to protect it against CVE-2020-1350, great. If not, get crackin’!)

A 17 year-old vulnerability is finally being patched by Microsoft and you should take note.

SIGRed (or CVE-2020-1350) is a worm-able, critical vulnerability that’s got a Common Vunerability Scoring System rating (CVSS) of 10, meaning “High Severity”. The CVSS only goes up to 10, so this thing is pretty gnarly.

If exploited successfully, SIGRed grants an attacker Domain Administrator rights and compromises the entire corporate infrastructure.

SIGRed affects Windows Server versions 2003 to 2019. This video by Check Point Research shows how easy it is for SIGRed to be implemented via a link in a malicious email:

 

 

I’m not going to pretend that I understand even a fraction of what’s going on here, I’m only a humble marketing monkey, but the blog article posted by Check Point (which you can read here: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/) is very, very in-depth.

Should you be worried?

Yeah, I mean, it’s got a 10 on the CVSS scale. Check Point Research only found the vulnerability in May and Microsoft responded quickly in issuing the CVE and patching it (relatively speaking).

Check Point also acknowledges there are no known workin exploits. If you watch the video above the only thing that happens is the target’s DNS servers crash. However, there is potential for SIGRed to be come a very, very nasty exploit if left unchecked.

Considering how hesitant people are to patch their Windows Domain environments/Domain Controllers, we can see SIGRed becoming a real pain in the “you-know-what.”

What can you do?

Patch your Domain environments. Use this link if you need help in finding the appropriate patch. Otherwise, Check Point says there is a work around until you’re able to implement the patch.

They say if you set the maximum length of a DNS message (over TCP) to 0xFF00 you should be able to nip SIGRed in the butt with out patching via the following command:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

Hope that helps.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is a Digital Marketing Specialist at Integris.

Keep reading

Managed IT Services St. Paul: 5 Powerful Advantages for Businesses

Managed IT Services St. Paul: 5 Powerful Advantages for Businesses

As a business owner, it's important to make the most of your resources. This includes finding cost-effective solutions for managing and maintaining your company's technology. Keeping a competitive edge in your industry requires secure, modern tech that allows your...

IT Support Minneapolis: Where to Find Top IT Services in Minneapolis

IT Support Minneapolis: Where to Find Top IT Services in Minneapolis

If you’re wondering where to find top IT services in Minneapolis, it’s important to identify providers that offer a wide range of support, have great service and provide solid tech expertise. Comprehensive technology insight is especially important when it comes to IT...

Webinar: Email Security that Doesn’t Suck…

Webinar: Email Security that Doesn’t Suck…

Trustifi and Security 7 present Email Security That Doesn’t Suck.  In today’s age of over-complicated security tools, it is extremely difficult to manage the fine balance between security and productivity.   {% video_player "embed_player" overrideable=False,...