Critical update for SigRed Bug in Windows DNS Server

[German]There has been a bug in the code of the Windows DNS server for 17 years that leads to a critical vulnerability. The worm exploitable vulnerability could be exploited to gain domain administrator privileges and compromise the entire underlying corporate infrastructure.


Advertising

I already received the information from Check Point last night, but under embargo, so I am only now getting around to publishing the details. Security researchers at Check Point Software Technologies have discovered a vulnerability that had remained undiscovered for 17 years. The vulnerability, called SIGRed, is so dangerous that Microsoft has given the highest possible priority to fixing it. All Windows server operating systems since 2003 are affected. A patch is available, but must be installed manually. There is also a temporary workaround.

SIGRed Critical Vulnerability (CVE-2020-1350)

In their blog post, Check Point Software Technologies security researchers describe the SIGRed (CVE-2020-1350) remote code execution vulnerability in Windows Domain Name System servers. The vulnerability is based on the bug that requests are not processed properly. The whole thing is also known as "Windows DNS Server Remote Code Execution Vulnerability" and has been lasting in the code since 17 years.

SIGRed (CVE-2020-1350) is a wormable critical vulnerability assigned a CVSS baseline of 10.0. The vulnerability resides in the Windows DNS server, and affects Windows Server versions 2003 through 2019. The vulnerability could trigger a malicious DNS response. Because the service in question is running with elevated privileges (SYSTEM), an attacker who successfully exploits the vulnerability will be granted the rights of a domain administrator. This effectively puts the entire corporate infrastructure at risk. 

(Source: YouTube)

By sending a DNS response that contains a large (more than 64 KB) SIG record, an attacker can cause a controlled heap-based buffer overflow of approximately 64 KB, allowing malicious code to execute. Check Point Software Technologies demonstrates this in the YouTube video above, and reveals the details in their blog post


Advertising

The Domain Name System (DNS) is the 'phone book of the Internet' and allows clients to connect to servers to access resources. It is a model that maps domain names to IP addresses to allow a connection to the correct server. If this mapping is manipulated, the whole concept gets into a security imbalance.

Microsoft provides patch and workaround

Microsoft has issued this vulnerability advisory and provides details in the CVE-2020-1350 article. It lists the critical updates for Windows Server 2008 SP2 up to Windows Server version 2004 (Server Core installation). The bug will be fixed with the regular updates for Windows on patchday July 14, 2020.

If a patch cannot be installed immediately, Microsoft provides additional information in the support article KB4569509  on how to at least mitigate the vulnerability with a workaround. The registry key for this is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Add a 32-Bit-DWORD value TcpReceivePacketSize = 0xFF00, to mitigate the vulnerability. Here are some more values:

  • The default value (also max.) = 0xFFFF
  • The recommended value = 0xFF00 (255 bytes less than the maximum)

You need to restart the DNS service to force the registry change to take effect. Since it has already been requested in my German blog: TCP-based DNS response packets that exceed the recommended value will be dropped without error. This could lead to some requests not being answered and to an unforeseen failure. However, a DNS server is only negatively affected by this workaround if it receives valid TCP responses that are larger than defined in the workaround (over 65,280 bytes). Details can be found in the article here including the FAQ.

Similar articles:
Microsoft Office Patchday (July 7, 2020)
Microsoft Security Update Summary (14. Juli 2020)
Patchday: Windows 10-Updates (14. Juli 2020)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

2 Responses to Critical update for SigRed Bug in Windows DNS Server

  1. Brian Hampson says:

    The July patch for 2008R2 won't apply. It reverts after install. 0x80070661 – wrong architecture.

    https://www.reddit.com/r/sysadmin/comments/hru0ra/anyone_having_issue_installing_the_patch_for_the/

    I guess for the 2008(R2) crowd, the regedit will have to suffice.

    • guenni says:

      Do you have an ESU license for Windows Server 2008 R2? If not, this is clear – Win 7 / Win Server 2008/R2 are out of support since Januar 14, 2020. Without an ESU license, all update installs will fail and a rollback is initiated. The problem, as far as I found out: It was nearly impossible for customers without volume license subscriptions or E3 plans, to obtain an ESU license – I don't know a solution so far.

      The (inofficial) BypassESU solution used by some Windows 7 users isn't an option for Windows Server 2008 R2 systems (imho, due to many collateral damaged).

      Have a look at Windows Server 2008 R2: 0patch fixes SIGRed vulnerability – where is a mitigation using a micropatch – which I recommend.

Leave a Reply

Your email address will not be published. Required fields are marked *