Advisory Overview
A Remote Code Execution (RCE) vulnerability exists affecting Windows Domain Name System (DNS) Servers when they improperly handle requests. Successful exploitation of this vulnerability could allow attackers to execute code with SYSTEM level privileges. SKOUT recommends all organizations update affected devices with the provided patch as soon as possible.
Technical detail and additional information
What is the threat?
A Remote Code Execution (RCE) vulnerability, dubbed SIGRed, was found by security researchers when a specially crafted request is sent to a vulnerable DNS server. When a DNS response is sent with a SIG record that is larger than 64KB, a heap-based buffer overflow is caused. When the request is sent through a HTTP payload to a victim server over port 53, the server interprets the payload as a DNS query.
Why is this noteworthy?
This overflow will cause the victim DNS server to act as a client and query a malicious DNS server and receive malicious responses. Successful exploitation of this vulnerability can allow for an attacker to execute code as SYSTEM or domain administrator. Additionally, this vulnerability is wormable meaning if an internal domain controller is compromised which happens to also function as a DNS server, the attacker has a foothold into the network which can be used for further exploitation. While this has not been seen being used yet, the likelihood of this vulnerability being exploited was deemed high.
What is the exposure or risk?
This vulnerability applies to all devices running Windows Server, specifically those running the DNS server role. This means that all organizations and individuals who have unpatched servers configured to run this service are vulnerable to exploitation. If exploited, an attacker could be able to intercept and/or tamper with emails or network traffic, spread malware, harvest credentials, or steal information resulting in a CVSS score of 10.
What are the recommendations?
Microsoft has released a patch that should be applied to all affected devices as soon as possible. For many systems, the patch was included in the monthly rollup. If patching affected devices is not immediately possible, the following registry change can be made to restrict the size of the largest inbound TCP-based DNS response packet allowed:
Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Value: TcpReceivePacketSize
Type: DWORD
Value data: 0xFF00
Once implemented, the DNS service must be restarted for the change to take effect. Instructions on making this change have been provided by Microsoft at https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability.
References:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
- https://www.computerweekly.com/news/252486110/Check-Point-unearths-critical-SIgRed-bug-in-Windows-DNS
- https://blog.rapid7.com/2020/07/14/windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350-what-you-need-to-know/
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/
If you have any questions, please contact our Security Operations Center.