A vulnerability named SIGRed and numbered CVE-2020-1350 was discovered in 2020 May by the Checkpoint Security Research Team.
The following server versions are affected (when the DNS service is activated):
The SIGRed vulnerability affects the DNS service that can be activated by server versions of Microsoft Windows.
It is considered critical by Microsoft because the DNS service runs with high rights (SYSTEM) allowing an attacker to take control of the server remotely in case of successful exploitation.
In a Microsoft environment, it is common to see the DNS service hosted directly on the domain controller and in this event, the attacker would have privileged access (SYSTEM) on one (or more) critical(s) service(s).
Microsoft fixes were made available when the Patch Tuesday was released in July, which fixes 123 vulnerabilities affecting 13 products:
With regard to the sensitivity of the information processed by the DNS service, associated with the criticality of the code execution with SYSTEM rights on a server, it is recommended to proceed with the application of the Microsoft patch as soon as possible.
Particular attention must be distributed by researchers or administrators who wish to understand how the vulnerability works. Some codes listed as POCs are actually RickRoll-type traps, but others could be more dangerous.
Example of a RickRoll code type posing as a POC:
In the event that the patch cannot be applied, creating a key in the registry followed by restarting the DNS service can protect the server from the exploitation techniques known at the time of writing this bulletin.
Command allowing the addition to the registry:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f
Command allowing the restart of service:
net stop DNS && net start DNS
TEHTRIS is at your disposal for any further information.