SIGRed

CERTCyberVulnerability

SIGRed vulnerability

A vulnerability named SIGRed and numbered CVE-2020-1350 was discovered in 2020 May by the Checkpoint Security Research Team.

Risks

  • Remote code execution
  • Server compromission
  • Data exfiltration
SIGRed Vulnerability

Affected systems

The following server versions are affected (when the DNS service is activated):

  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Source:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

SIGRed Vulnerability

The SIGRed vulnerability affects the DNS service that can be activated by server versions of Microsoft Windows.

It is considered critical by Microsoft because the DNS service runs with high rights (SYSTEM) allowing an attacker to take control of the server remotely in case of successful exploitation.

In a Microsoft environment, it is common to see the DNS service hosted directly on the domain controller and in this event, the attacker would have privileged access (SYSTEM) on one (or more) critical(s) service(s).

Microsoft fixes were made available when the Patch Tuesday was released in July, which fixes 123 vulnerabilities affecting 13 products:

  • Microsoft Windows
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based) in IE Mode
  • Microsoft ChakraCore
  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Windows Defender
  • Skype for Business
  • Visual Studio
  • Microsoft OneDrive
  • Open Source Software
  • .NET Framework
  • Azure DevOps

Source :

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jul

Recommandations

With regard to the sensitivity of the information processed by the DNS service, associated with the criticality of the code execution with SYSTEM rights on a server, it is recommended to proceed with the application of the Microsoft patch as soon as possible.

Source :

https://github.com/search?q=CVE-2020-1350

Particular attention must be distributed by researchers or administrators who wish to understand how the vulnerability works. Some codes listed as POCs are actually RickRoll-type traps, but others could be more dangerous.

Example of a RickRoll code type posing as a POC:

https://github.com/ZephrFish/CVE-2020-1350

In the event that the patch cannot be applied, creating a key in the registry followed by restarting the DNS service can protect the server from the exploitation techniques known at the time of writing this bulletin.

Command allowing the addition to the registry:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f

Command allowing the restart of service:

net stop DNS && net start DNS

TEHTRIS is at your disposal for any further information.

// Sources

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/