CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)

Researchers disclose a 17-year-old wormable flaw in Windows DNS servers. Organizations are strongly encouraged to apply patches as soon as possible.

Update July 17, 2020: The Proof of Concept and Solutions sections have been updated to reflect the availability of proof of concept scripts and the availability of an audit file for Tenable products.

Background

On July 14, Microsoft patched a critical vulnerability in Windows Domain Name System (DNS) Server as part of Patch Tuesday for July 2020. The vulnerability was disclosed to Microsoft by Sagi Tzadik and Eyal Itkin, researchers at Check Point Research, who dubbed this vulnerability “SIGRed.” According to the researchers, the vulnerability has persisted in Windows DNS Server for 17 years. Microsoft has published its own blog post about the flaw, warning that they consider it wormable.

Analysis

CVE-2020-1350 is a critical remote code execution (RCE) vulnerability in Windows DNS servers due to the improper handling of DNS requests. It was assigned a CVSSv3 score of 10.0, the highest possible score. To exploit this vulnerability, an attacker would send a malicious request to a vulnerable Windows DNS server. Successful exploitation would grant the attacker arbitrary code execution privileges under the Local System Account context. Microsoft warns that systems at risk include “Windows servers” that have been “configured as DNS servers.”

Second major wormable flaw patched this year

In March of this year, Microsoft released patches for CVE-2020-0796, a wormable RCE vulnerability in Microsoft Server Message Block 3.1.1, known as EternalDarkness or SMBGhost. While we have yet to see SMBGhost used in a wormable fashion, SIGRed marks the second wormable Microsoft vulnerability patched this year.

SIGRed can be triggered via the browser

Researchers at Check Point found that they could remotely trigger the vulnerability through a web browser. This is achieved by “smuggling” a DNS query in an HTTP request as part of the POST data. However, this vulnerability can only be exploited through browsers that accept HTTP requests over the standard DNS port (53), which include Internet Explorer and Microsoft Edge versions that are not using Chromium.

As part of a demonstration, Check Point Researchers show how they could trigger the vulnerability by sending a link to a user in an email, which when opened would smuggle the DNS query inside of the HTTP request.

Proof of concept

At the time this blog post was published, there was no working proof-of-concept (PoC) code available for this vulnerability. However, we have seen at least one fake PoC that RickRolls users. In the past, we’ve also observed some malicious scripts that masquerade as PoCs being published to GitHub. We strongly advise caution when dealing with alleged PoCs.

Since CVE-2020-1350 was made public on July 14, PoCs have been published to GitHub including scripts to apply the mitigation instructions listed in the Solutions section, as well as a few scripts [1, 2] that exploit the flaw in order to cause a denial of service.

Solution

Microsoft has released patches to address SIGRed across a variety of Windows Server releases. Despite Windows Server 2008 reaching end of life in January 2020, Microsoft has published security patches to prevent unsupported systems from being compromised by a potential worm.

Tenable strongly encourages organizations to apply these patches as soon as possible.

If applying these patches is not currently feasible, Microsoft provided a workaround via a Windows registry modification:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

In order for these changes to take effect, the DNS Service must be restarted.

Microsoft recommends removing the workaround after patches have been applied.

On July 17, our Audit and Compliance team released an audit file for Tenable products that will detect whether or not the mitigation has been applied to assets.

When a target is scanned, it will produce the following result:

If the registry modification has been applied, it will return a “PASSED” value under the compliance tab, otherwise it will return a “FAILED” value.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Microsoft Advisory for CVE-2020-1350
• Check Point Research Blog for SIGRed (CVE-2020-1350)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.