Request a Demo

What is the SIGRed Vulnerability (CVE-2020-1350) and How to Fix it

What is the SIGRed Vulnerability (CVE-2020-1350)?

SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high. 

 

Microsoft have just released a patch for the SIGRed vulnerability (CVE-2020-1350) that affects Windows Server versions from 2003 to 2019. 

 

The Windows DNS Server is an essential part of the Windows Domain environment and runs the DNS queries on Windows Server. 

 

Breaking Down SIGRed: 

 

Researchers found a Heap-Based Integer Overflow “dns.exe!SigWireRead,” with the function that parses the SIG queries. 

 

SIG “Signature record” is a DNS record type used in (RFC 2931) and TKEY (RFC 2930), from RFC 3755, RRSIG is designated as a replacement for SIG to use with DNSSEC. 

 

According to GBHackers, "by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.”

 

See explainer video:

 

This vulnerability can be exploited remotely through HTTP payload, by “sending it to the target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query.” 

 

How to Fix the SIGRed Vulnerability

Patching the SIGRed Vulnerability 

The best way to remediate the SIGRed vulnerability is by patching immediately, using the patches released by Microsoft  

Note: No user action is required if you have auto updates enabled.

 

Workaround

If applying a patch to the vulnerable servers is not an immediate option, there is a workaround solution available. To mitigate the risk from SIGRedmake the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

TcpReceivePacketSize 

Value = 0xFF00 

 

Note: You must restart the DNS Service for the registry change to take effect. 

  • The Default (also max) Value = 0xFFFF 
  • The Recommended Value = 0xFF00 (255 bytes less than the max) 

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes. 

 

 

Sources: 

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat” (CVE-2020-1938) that ...
Read more

07.15.2020 | vulnerabilities , SIGRed

| Posted by Yonatan Amitay
What is the SIGRed Vulnerability (CVE-2020-1350)? SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more