{"id":15032,"date":"2020-07-15T11:09:10","date_gmt":"2020-07-15T09:09:10","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=15032"},"modified":"2024-07-26T17:43:01","modified_gmt":"2024-07-26T15:43:01","slug":"critical-update-for-sigred-bug-in-windows-dns-server","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/07\/15\/critical-update-for-sigred-bug-in-windows-dns-server\/","title":{"rendered":"Critical update for SigRed Bug in Windows DNS Server"},"content":{"rendered":"

[German<\/a>]There has been a bug in the code of the Windows DNS server for 17 years that leads to a critical vulnerability. The worm exploitable vulnerability could be exploited to gain domain administrator privileges and compromise the entire underlying corporate infrastructure.<\/p>\n

<\/p>\n

\"\"I already received the information from Check Point last night, but under embargo, so I am only now getting around to publishing the details. Security researchers at Check Point Software Technologies have discovered a vulnerability that had remained undiscovered for 17 years. The vulnerability, called SIGRed, is so dangerous that Microsoft has given the highest possible priority to fixing it. All Windows server operating systems since 2003 are affected. A patch is available, but must be installed manually. There is also a temporary workaround.<\/p>\n

SIGRed Critical Vulnerability (CVE-2020-1350)<\/h2>\n

In their blog post<\/a>, Check Point Software Technologies security researchers describe the SIGRed (CVE-2020-1350<\/a>) remote code execution vulnerability in Windows Domain Name System servers. The vulnerability is based on the bug that requests are not processed properly. The whole thing is also known as \"Windows DNS Server Remote Code Execution Vulnerability\" and has been lasting in the code since 17 years.<\/p>\n

SIGRed (CVE-2020-1350) is a wormable critical vulnerability assigned a CVSS baseline of 10.0. The vulnerability resides in the Windows DNS server, and affects Windows Server versions 2003 through 2019. The vulnerability could trigger a malicious DNS response. Because the service in question is running with elevated privileges (SYSTEM), an attacker who successfully exploits the vulnerability will be granted the rights of a domain administrator. This effectively puts the entire corporate infrastructure at risk.<\/p>\n

(Source: YouTube<\/a>)<\/p>\n

By sending a DNS response that contains a large (more than 64 KB) SIG record, an attacker can cause a controlled heap-based buffer overflow of approximately 64 KB, allowing malicious code to execute. Check Point Software Technologies demonstrates this in the YouTube video above, and reveals the details in their blog post<\/a>.<\/p>\n

The Domain Name System (DNS) is the 'phone book of the Internet' and allows clients to connect to servers to access resources. It is a model that maps domain names to IP addresses to allow a connection to the correct server. If this mapping is manipulated, the whole concept gets into a security imbalance.<\/p><\/blockquote>\n

Microsoft provides patch and workaround<\/h2>\n

Microsoft has issued this vulnerability advisory<\/a> and provides details in the CVE-2020-1350 article<\/a>. It lists the critical updates for Windows Server 2008 SP2 up to Windows Server version 2004 (Server Core installation). The bug will be fixed with the regular updates for Windows on patchday July 14, 2020.<\/p>\n

If a patch cannot be installed immediately, Microsoft provides additional information in the support article KB4569509<\/a>\u00a0 on how to at least mitigate the vulnerability with a workaround. The registry key for this is:<\/p>\n

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters<\/p>\n

Add a 32-Bit-DWORD value TcpReceivePacketSize = 0xFF00, to mitigate the vulnerability. Here are some more values:<\/p>\n