Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)

Researchers disclose a 17-year-old wormable flaw in Windows DNS servers. Organizations are strongly encouraged to apply patches as soon as possible.

Update July 17, 2020: The Proof of Concept and Solutions sections have been updated to reflect the availability of proof of concept scripts and the availability of an audit file for Tenable products.

Background

On July 14, Microsoft patched a critical vulnerability in Windows Domain Name System (DNS) Server as part of Patch Tuesday for July 2020. The vulnerability was disclosed to Microsoft by Sagi Tzadik and Eyal Itkin, researchers at Check Point Research, who dubbed this vulnerability “SIGRed.” According to the researchers, the vulnerability has persisted in Windows DNS Server for 17 years. Microsoft has published its own blog post about the flaw, warning that they consider it wormable.

Analysis

CVE-2020-1350 is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests. It was assigned a CVSSv3 score of 10.0, the highest possible score. To exploit this vulnerability, an attacker would send a malicious request to a vulnerable Windows DNS server. Successful exploitation would grant the attacker arbitrary code execution privileges under the Local System Account context. Microsoft warns that systems at risk include “Windows servers” that have been “configured as DNS servers.”

Second major wormable flaw patched this year

In March of this year, Microsoft released patches for CVE-2020-0796, a wormable RCE vulnerability in Microsoft Server Message Block 3.1.1, known as EternalDarkness or SMBGhost. While we have yet to see SMBGhost used in a wormable fashion, SIGRed marks the second wormable Microsoft vulnerability patched this year.

SIGRed can be triggered via the browser

Researchers at Check Point found that they could remotely trigger the vulnerability through a web browser. This is achieved by “smuggling” a DNS query in an HTTP request as part of the POST data. However, this vulnerability can only be exploited through browsers that accept HTTP requests over the standard DNS port (53), which include Internet Explorer and Microsoft Edge versions that are not using Chromium.

As part of a demonstration, Check Point Researchers show how they could trigger the vulnerability by sending a link to a user in an email, which when opened would smuggle the DNS query inside of the HTTP request.

Proof of concept

At the time this blog post was published, there was no working proof-of-concept (PoC) code available for this vulnerability. However, we have seen at least one fake PoC that RickRolls users. In the past, we’ve also observed some malicious scripts that masquerade as PoCs being published to GitHub. We strongly advise caution when dealing with alleged PoCs.

Since CVE-2020-1350 was made public on July 14, PoCs have been published to GitHub including scripts to apply the mitigation instructions listed in the Solutions section, as well as a few scripts [1, 2] that exploit the flaw in order to cause a denial of service.

Solution

Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Despite Windows Server 2008 reaching end of life in January 2020, Microsoft has published security patches to prevent unsupported systems from being compromised by a potential worm.

Tenable strongly encourages organizations to apply these patches as soon as possible.

Article Products KB
4565536 Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
KB4565536
4565529 Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
KB4565529
4565524 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
KB4565524
4565539 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
KB4565539
4565537 Windows Server 2012
Windows Server 2012 (Server Core)
KB4565537
4565535 Windows Server 2012
Windows Server 2012 (Server Core)
KB4565535
4565541 Windows Server 2012 R2
Windows Server 2012 R2 (Server Core)
KB4565541
4565540 Windows Server 2012 R2
Windows Server 2012 R2 (Server Core)
KB4565540
4565511 Windows Server 2016
Windows Server 2016 (Server Core)
KB4565511
4558998 Windows Server 2019
Windows Server 2019 (Server Core)
KB4558998
4565483 Windows Server, version 1903 (Server Core)
Windows Server, version 1909 (Server Core)
KB4565483
4565503 Windows Server, version 2004 (Server Core) KB4565503


If applying these patches is not currently feasible, Microsoft provided a workaround via a Windows registry modification:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

In order for these changes to take effect, the DNS Service must be restarted.

Microsoft recommends removing the workaround after patches have been applied.

On July 17, our Audit and Compliance team released an audit file for Tenable products that will detect whether or not the mitigation has been applied to assets.

When a target is scanned, it will produce the following result:

If the registry modification has been applied, it will return a “PASSED” value under the compliance tab, otherwise it will return a “FAILED” value.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.