SIGRed Vulnerability (CVE-2020-1350)

SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the Windows DNS Server, that can be triggered by an attacker with malicious DNS response. It received a CVSS base score of 10, and according to the Check Point researchers who found this 17-year-old flaw, the likelihood of exploitation is high.

Microsoft have just released a patch for the SIGRed vulnerability (CVE-2020-1350) that affects Windows Server versions from 2003 to 2019.

CVE-2020-1350 brings to memory two recent issues that Forescout Research Labs has analyzed: CVE-2020-0796 (SMBGhost), which is also a wormable vulnerability affecting Windows, and CVE-2020-11901 (part of Ripple20), which affects DNS clients using the Treck TCP/IP stack. It reiterates that:

1. Critical vulnerabilities in Windows still happen very often, so IT equipment will continue to be a big concern in critical infrastructure and the Enterprise of Things.
2. The DNS protocol is a great target for malicious actors because of the possibilities of remote exploitation.

Affected Devices

Known vulnerable versions of Windows are Server 2008, Server 2012, Server 2016, Server 2019, version 1903, version 1909, and version 2004.

Mitigation

Everybody is advised to install the patch without delay. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on July 16^th giving federal government agencies 24 hours to patch the vulnerability.

There is an official registry-based workaround issued by Microsoft for servers that cannot be patched, as is often the case in critical infrastructure. This workaround restricts the largest allowed inbound TCP-based DNS response packet. To apply, it is necessary to change the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

and reboot the system.

Below, we describe how Forescout can help to protect your network:

• Visibility: Use Forescout to identify and classify potentially impacted Windows instances in your environment. Known vulnerable versions are Server 2008, Server 2012, Server 2016, Server 2019, version 1903, version 1909, and version 2004 (for most up-to-date details see Microsoft’s security advisory).
• Control: Leverage Forescout’s ability to install the missing patch or modify the registry property detailed above to mitigate the vulnerability.
• Segmentation: As an ongoing best practice, use Forescout to monitor DNS flows over TCP port 53 – these flows should be monitored for anomalies and should be controlled via segmentation in environments with internal DNS servers. Upon detection of violation, enact device restriction policies to mitigate risk to the network and prevent lateral movement.

Detecting the malicious DNS message requires a lot of parsing and some publicly released detection scripts can raise false alerts because they flag every long message as malicious. Forescout’s SilentDefense script works by checking DNS traffic based on TCP port 53. The DNS Responses are inspected in detail: there should be a “SIG” (type 24) or “RRSIG” (type 46) present. If so, the “signer’s name” subfield is checked for the presence of a string pointer. If present, the first character pointed to normally gives the size of the (first part of) the string. A malicious DNS message purposely sets the pointer wrong, so that a wrong byte is used as the string size. When this value is added to the record size, and the value is > 0xFFFF, then a 16-bit addition wraparound occurs in Window, and the wrong (much too small!) amount of memory is then allocated by Windows. This may cause memory in Windows be overwritten. The script alerts when it sees the addition result >0xFFFF. No check is done on the presence of any malware in the DNS Response message.