back caretBlog

SIGRed: What Is It, How Serious Is It, and How Should You Respond?

Microsoft DNS SIGRed Vulnerability CVE-2020-1350

Executive Summary

On July 14th, 2020, Microsoft disclosed a vulnerability in the Microsoft DNS Server subsystem affecting all modern versions of Microsoft DNS. This vulnerability allows attackers to leverage malformed DNS responses to trigger remote code execution on unpatched Microsoft DNS servers without the need for authentication. A sufficiently capable attacker can leverage this vulnerability to obtain remote administrative access to Microsoft DNS Servers, which typically cohabitate with Microsoft Active Directory servers.

In other words this vulnerability bypasses the majority of built-in security checks and security architecture while providing direct access to an organization's critical infrastructure. Additionally this vulnerability is "wormable", indicating that the attack is easily automated and can spread without user intervention via malware.

This vulnerability affects all versions of Microsoft Server from 2003 and up including all currently supported versions of Microsoft Server.

You can learn more on the Microsoft listing for this CVE.

Why It Matters (Criticality)

This vulnerability has the potential to allow attackers to compromise high level domain accounts, providing attackers direct access to an organization's Active Directory infrastructure. Additionally the vulnerability can be exploited via unattended malware raising the risk score.

The NIST CVE base score for this vulnerability is rated as: 10.0 CRITICAL (the highest criticality score).

How the Attack Works (Anatomy)

The SIGRed Vulnerability CVE-2020-1350 takes advantage of an integer overflow which leads to a heap-based buffer overflow in the dns.exe!SigWireRead function. This overflow can be triggered by responding to a DNS request with an oversized SIG record.

For a detailed writeup see: SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers

Detection

Detection Difficulty: Moderate

Most EDR, proxy, and firewall products will not detect this attack. Additionally, Windows-based logging tools will not show definitive error codes.

Network-based detection is the most effective way to confidently detect this threat.

Network-Based Detection

ExtraHop Reveal(x) signature rules have been released to all production environments, providing visibility into attempts to exploit this vulnerability.

IDS Detection

Some IDS products such as Zeek or Suricata are able to detect this attack by looking for abnormally large DNS responses.

Endpoint-Based Detection

Administrators can look for unusual child processes of dns.exe and other anomalous file system behavior from the dns.exe process. Additionally, some EDR products within memory exploitation prevention engines may be able to detect and prevent exploitation by killing the dns.exe process.

Remediation and Response Strategy:

Workarounds

Microsoft has published a workaround for server environments which are unable to patch due to change control or other requirements. You can find the full writeup here. The workaround consists of adding a registry key to the affected server and restarting the DNS service as outlined below:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

Remediation

To resolve this issue Microsoft recommends installing the appropriate security update for your server environment. Security updates can be obtained directly from Microsoft.

References:

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed