SIGRed (CVE-2020-1350) affects ALL Windows DNS Servers and leads to full domain compromise.

Yes that it is true. The high severity vulnerability identified by CVE-2020-1350, reported here, affects all versions of Windows DNS Server from 2003 to 2020 and since DNS servers are usually Domain Controllers, that results in obtaining Domain Admin privileges.

SIGRed is a wormable vulnerability with a CVSSv3 score of 10.0, the highest, and triggered by a malicious DNS request. Wormable means that the exploitation can succeed and spread without user interaction and makes it much more dangerous. The Domain Controllers host the Domain Name System and are most susceptible by this vulnerability.

It is important to note that SIGRed is the second Windows wormable vulnerability discovered in the 2020, after the known SMBGhost CVE-2020-0796 of the last March affecting Microsoft Server Message Block 3.1.1.

It is very likely expected to see a weaponization, or practical exploit, of these vulnerabilities in the near future, meaning updates, patches and workarounds should be applied immediately!

Cause

The DNS service runs as elevated user with high level of permissions, giving an attacker direct administrative control over the server. The vulnerability lies in an improper handling of certain types of DNS responses. For a better understanding of how DNS works, here you can find a good summary from Cloudflare.

The research and detailed explanation is published by Checkpoint Research but as a short summary, the DNS SIG packets, used for carrying a signature for DNSSEC, can be manipulated. The size of the packet is stored in a 16 bits field, an integer overflow occurs in case of packets of sizes bigger than 65535 bytes.

At this point, the integer resets and cause a shorter memory allocation than the actual data, causing an heap overflow. From this point onward, the researchers at Checkpoint identified the various primitives needed to complete the chain. It is just a matter of time until motivated attackers will finalize a practical working exploit.

Solution

As of today, 15th of July 2020, patches are available by Microsoft for the CVE-2020-1350 but if those are not possible to apply, there is a temporary workaround solution. Microsoft also released patches for unsupported systems like the old Windows Server 2008, to prevent them from being compromised.

This involves a registry key modification in order to restrict DNS TCP response packets of a size larger than (0xFF00) or 65280 bytes.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
 
DWORD = TcpReceivePacketSize 
Value = 0xFF00

The DNS service needs then to be restarted.

Organizations are strongly recommended and encouraged to apply the mentioned workaround or the relative patches as soon as possible in order to avoid catastrophic events to happen.


By Scola Carlo Alberto

Carlo Alberto is a cyber security expert with strong focus on web application security, complex network infrastructure penetration testing (Windows/Linux) as well as red teaming and, occasionally, threat hunting.

Carlo helps customers defend and secure their environment by doing extensive and thorough security assessments and penetration tests. He likes to share the acquired knowledge with colleagues and with the Internet.