Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)

Researchers disclose a 17-year-old wormable flaw in Windows DNS servers. Organizations are strongly encouraged to apply patches as soon as possible.

Update July 17, 2020: The Proof of Concept and Solutions sections have been updated to reflect the availability of proof of concept scripts and the availability of an audit file for Tenable products.

Background

On July 14, Microsoft patched a critical vulnerability in Windows Domain Name System (DNS) Server as part of Patch Tuesday for July 2020. The vulnerability was disclosed to Microsoft by Sagi Tzadik and Eyal Itkin, researchers at Check Point Research, who dubbed this vulnerability “SIGRed.” According to the researchers, the vulnerability has persisted in Windows DNS Server for 17 years. Microsoft has published its own blog post about the flaw, warning that they consider it wormable.

Analysis

CVE-2020-1350 is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests. It was assigned a CVSSv3 score of 10.0, the highest possible score. To exploit this vulnerability, an attacker would send a malicious request to a vulnerable Windows DNS server. Successful exploitation would grant the attacker arbitrary code execution privileges under the Local System Account context. Microsoft warns that systems at risk include “Windows servers” that have been “configured as DNS servers.”

Second major wormable flaw patched this year

In March of this year, Microsoft released patches for CVE-2020-0796, a wormable RCE vulnerability in Microsoft Server Message Block 3.1.1, known as EternalDarkness or SMBGhost. While we have yet to see SMBGhost used in a wormable fashion, SIGRed marks the second wormable Microsoft vulnerability patched this year.

SIGRed can be triggered via the browser

Researchers at Check Point found that they could remotely trigger the vulnerability through a web browser. This is achieved by “smuggling” a DNS query in an HTTP request as part of the POST data. However, this vulnerability can only be exploited through browsers that accept HTTP requests over the standard DNS port (53), which include Internet Explorer and Microsoft Edge versions that are not using Chromium.

As part of a demonstration, Check Point Researchers show how they could trigger the vulnerability by sending a link to a user in an email, which when opened would smuggle the DNS query inside of the HTTP request.

Proof of concept

At the time this blog post was published, there was no working proof-of-concept (PoC) code available for this vulnerability. However, we have seen at least one fake PoC that RickRolls users. In the past, we’ve also observed some malicious scripts that masquerade as PoCs being published to GitHub. We strongly advise caution when dealing with alleged PoCs.

Since CVE-2020-1350 was made public on July 14, PoCs have been published to GitHub including scripts to apply the mitigation instructions listed in the Solutions section, as well as a few scripts [1, 2] that exploit the flaw in order to cause a denial of service.

Solution

Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Despite Windows Server 2008 reaching end of life in January 2020, Microsoft has published security patches to prevent unsupported systems from being compromised by a potential worm.

Tenable strongly encourages organizations to apply these patches as soon as possible.

Article Products KB
4565536 Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
KB4565536
4565529 Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
KB4565529
4565524 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
KB4565524
4565539 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
KB4565539
4565537 Windows Server 2012
Windows Server 2012 (Server Core)
KB4565537
4565535 Windows Server 2012
Windows Server 2012 (Server Core)
KB4565535
4565541 Windows Server 2012 R2
Windows Server 2012 R2 (Server Core)
KB4565541
4565540 Windows Server 2012 R2
Windows Server 2012 R2 (Server Core)
KB4565540
4565511 Windows Server 2016
Windows Server 2016 (Server Core)
KB4565511
4558998 Windows Server 2019
Windows Server 2019 (Server Core)
KB4558998
4565483 Windows Server, version 1903 (Server Core)
Windows Server, version 1909 (Server Core)
KB4565483
4565503 Windows Server, version 2004 (Server Core) KB4565503


If applying these patches is not currently feasible, Microsoft provided a workaround via a Windows registry modification:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

In order for these changes to take effect, the DNS Service must be restarted.

Microsoft recommends removing the workaround after patches have been applied.

On July 17, our Audit and Compliance team released an audit file for Tenable products that will detect whether or not the mitigation has been applied to assets.

When a target is scanned, it will produce the following result:

If the registry modification has been applied, it will return a “PASSED” value under the compliance tab, otherwise it will return a “FAILED” value.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.