Patch Tuesday Special Edition: SIGRed

by

July 21, 2020

(This article’s a bit late as I was on vacation last week, so if you’ve already patched your Windows Server with the bug fixes released on July 14th to protect it against CVE-2020-1350, great. If not, get crackin’!)

A 17 year-old vulnerability is finally being patched by Microsoft and you should take note.

SIGRed (or CVE-2020-1350) is a worm-able, critical vulnerability that’s got a Common Vunerability Scoring System rating (CVSS) of 10, meaning “High Severity”. The CVSS only goes up to 10, so this thing is pretty gnarly.

If exploited successfully, SIGRed grants an attacker Domain Administrator rights and compromises the entire corporate infrastructure.

SIGRed affects Windows Server versions 2003 to 2019. This video by Check Point Research shows how easy it is for SIGRed to be implemented via a link in a malicious email:

 

 

I’m not going to pretend that I understand even a fraction of what’s going on here, I’m only a humble marketing monkey, but the blog article posted by Check Point (which you can read here: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/) is very, very in-depth.

Should you be worried?

Yeah, I mean, it’s got a 10 on the CVSS scale. Check Point Research only found the vulnerability in May and Microsoft responded quickly in issuing the CVE and patching it (relatively speaking).

Check Point also acknowledges there are no known workin exploits. If you watch the video above the only thing that happens is the target’s DNS servers crash. However, there is potential for SIGRed to be come a very, very nasty exploit if left unchecked.

Considering how hesitant people are to patch their Windows Domain environments/Domain Controllers, we can see SIGRed becoming a real pain in the “you-know-what.”

What can you do?

Patch your Domain environments. Use this link if you need help in finding the appropriate patch. Otherwise, Check Point says there is a work around until you’re able to implement the patch.

They say if you set the maximum length of a DNS message (over TCP) to 0xFF00 you should be able to nip SIGRed in the butt with out patching via the following command:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

Hope that helps.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...