SIGRed: Microsoft DNS Server RCE Vulnerability

By
Sooraj V Nair
Published on
15 Jul 2020
2 min read
Information Leakage

A critical Remote Code Execution (RCE) vulnerability CVE-2020-1350 dubbed SIGRed has been found in Microsoft Windows Domain Name System (DNS) servers.

This vulnerability is classified as a ‘wormable’ vulnerability which means a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.

It has a CVSS base score of 10, the highest possible risk score. The affected versions include Windows Server versions from 2003 to 2019.

This vulnerability has been in the Microsoft code for more than 17 years. This means that it’s likely that other attackers may have found and have taken advantage of the issue.

But according to Microsoft, this vulnerability is not currently known to be used in active attacks. Microsoft ranks this vulnerability as “exploitation more likely,” and it is essential that customers apply Windows updates to address this vulnerability as soon as possible.

This issue results from a flaw in Microsoft’s DNS server role implementation. It does not affect non-Microsoft DNS Servers. The main reason why this vulnerability exists is due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.

The flaw itself is an integer-overflow bug. It can trigger a heap-based buffer overflow attack tied to the DNS module named dns.exe, which is responsible for answering DNS queries on Windows Servers.

Impact of SIGRed: Microsoft DNS Server RCE Vulnerability

If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling an attacker to take control of the server. This makes it possible for an attacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials, etc.

As the service runs in elevated privileges, if it is compromised, an attacker is also granted Domain Administrator rights. In certain scenarios, the vulnerability can be triggered remotely through browser sessions.

How to Prevent SIGRed: Microsoft DNS Server RCE Vulnerability

Microsoft has released a patch to update the DNS server to the latest version. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server.

In order to work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

        Go to TcpReceivePacketSize and change the Value = 0xFF00

   

The Default (also max) Value = 0xFFFF and the Recommended Value = 0xFF00 (255 bytes less than the max).

Now restarting the DNS Service will allow the change to take effect.


Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days