Understanding the Microsoft DNS SIGRed Vulnerability CVE-2020-1350 Credit: marchmeena29 Executive SummaryOn July 14th, 2020, Microsoft disclosed a vulnerability in the Microsoft DNS Server subsystem affecting all modern versions of Microsoft DNS. This vulnerability allows attackers to leverage malformed DNS responses to trigger remote code execution on unpatched Microsoft DNS servers without the need for authentication. A sufficiently capable attacker can leverage this vulnerability to obtain remote administrative access to Microsoft DNS Servers, which typically cohabitate with Microsoft Active Directory servers.In other words this vulnerability bypasses the majority of built-in security checks and security architecture while providing direct access to an organization’s critical infrastructure. Additionally this vulnerability is “wormable”, indicating that the attack is easily automated and can spread without user intervention via malware.This vulnerability affects all versions of Microsoft Server from 2003 and up including all currently supported versions of Microsoft Server. You can learn more on the Microsoft listing for this CVE.Why It Matters (Criticality) This vulnerability has the potential to allow attackers to compromise high level domain accounts, providing attackers direct access to an organization’s Active Directory infrastructure. Additionally the vulnerability can be exploited via unattended malware raising the risk score.The NIST CVE base score for this vulnerability is rated as: 10.0 CRITICAL (the highest criticality score).How the Attack Works (Anatomy)The SIGRed Vulnerability CVE-2020-1350 takes advantage of an integer overflow which leads to a heap-based buffer overflow in the dns.exe!SigWireRead function. This overflow can be triggered by responding to a DNS request with an oversized SIG record.For a detailed writeup see: SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS ServersDetection Detection Difficulty: ModerateMost EDR, proxy, and firewall products will not detect this attack. Additionally, Windows-based logging tools will not show definitive error codes.Network-based detection is the most effective way to confidently detect this threat.Network-Based Detection ExtraHop Reveal(x) signature rules have been released to all production environments, providing visibility into attempts to exploit this vulnerability.IDS DetectionSome IDS products such as Zeek or Suricata are able to detect this attack by looking for abnormally large DNS responses.Endpoint-Based DetectionAdministrators can look for unusual child processes of dns.exe and other anomalous file system behavior from the dns.exe process. Additionally, some EDR products within memory exploitation prevention engines may be able to detect and prevent exploitation by killing the dns.exe process.Remediation and Response Strategy:WorkaroundsMicrosoft has published a workaround for server environments which are unable to patch due to change control or other requirements. You can find the full writeup here. The workaround consists of adding a registry key to the affected server and restarting the DNS service as outlined below: reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNSRemediationTo resolve this issue Microsoft recommends installing the appropriate security update for your server environment. Security updates can be obtained directly from Microsoft.References:SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS ServersJuly 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) ServerWindows DNS Server Remote Code Execution VulnerabilitySANS ISC InfoSec Forumsmaxpl0it/CVE-2020-1350-DoS: A denial-of-service proof-of-concept for CVE-2020-1350Posted in Security, Community, NDR, Reveal(x)See other posts by Jesse Munos Related content opinion Origin Story Part 2: A Forensic Examination of SUNBURST After Detection How to improve threat protection based on an analysis of the large-scale, SolarWinds Orion SUNBURST attack. By Todd Kemmerling Mar 01, 2021 6 mins Security opinion Behavior-based Detection and Rule-based Detection: Why Not Both? Sophisticated cybersecurity attackers require a sophisticated network approach to protect the organization. By Chase Snyder Mar 01, 2021 6 mins Security opinion What’s the State of Hybrid and Cloud Security Tools? Security and IT professionals share their experiences with existing data/workload challenges and the security tools they’re using. By Dale Norris Mar 01, 2021 3 mins Security opinion Threat Intel: Analyzing the SolarWinds Attack Dissection of the recent SUNBURST attack campaign provides crucial threat intelligence for strategic action. By ExtraHop Jan 19, 2021 3 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe