By Keren Pollack, on July 15th, 2020

Microsoft published a new CVE 2020-1350, warning about a new critical vulnerability in their DNS servers.

 

The vulnerability was discovered by Check- Point’s research team and was already addressed with a patch released by Microsoft. Microsoft acknowledged this vulnerability as a critical vulnerability, scoring it as a CVSS  10.0 (highest possible severity). The vulnerability is wormable and affects Windows server versions 2003-2019.

 

SIGRed Overveiw:

The DNS is often referred to as the internet’s ‘address book’. It translates website names and Email addresses into the expression they are saved as in the DNS record. It is done by sending DNS queries. The DNS operates through UDP/TCP port 53 and it’s messages (queries and responses) are limited (to 512 bytes). DNS has a hierarchical structure. When a DNS server doesn’t have the answer to a query, the query is passed to a DNS higher in the hierarchy.

 

There are two main scenarios for this attack:

  1. A bug in the way the DNS parses an incoming query.
  2. A bug in the way the DNS server parses a response for a forwarded query.

The second scenario is more relevant, as most queries do not have a complex structure.

 

In this vulnerability, the attacker will use an Integer Overflow method, leading to Heap-Based Buffer Overflow, using a malicious DNS Name Server, which makes the targeted DNS server parse its responses.

 

The Final Outcome:

An attacker can use this method to leverage the DNS parsing bug to tamper with the DNS records your organization uses, and change the address your website and email are translated to. This can eventually allow him to intercept and read your emails, leading to a critical security issue.

 

The final outcome of this attack is an attacker having a Domain Administrator rights over your server, compromising your entire organization’s network. In addition, it is important to note that according to Microsoft, this is a wormable flaw, which adds another level of severity.

 

 

Mitigating SIGRed:

DNS security is often left unmonitored in many organizations, which may help the attack to spread throughout the organization’s network without any disturbance.

Microsoft published a patch on July 14th. This is the most recommended way to address this vulnerability.

 

A temporary workaround is also available, using a hardening action. By changing the maximum length of a DNS message to 0XFF00, you can eliminate this vulnerability.

You can use the following command to change your servers’ configurations manually:

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS

 

Mitigating SIGRed using CHS:

Changing servers’ configurations should be done with precaution, as it may lead to servers’ downtime. In addition, when using hardening methods to mitigate vulnerabilities, it is important to make sure that all relevant servers had the right change implemented. With CHS, both those issues are solved. CHS will report to you the potential impact of your desired change on each server, eliminating the risk for downtime and allowing you to implement changes fast. In addition, CHS will allow you to control all of your servers from a single control point. This way, you’ll be able to implement any changes desire on every server in a single action. CHS will also track your servers’ compliance posture to your policy and prevent any configuration drifts before they occur.

To learn more about how CHS can help you protect your organization from the SIGRed vulnerability, download our datasheet