Full points for DNS vulnerability SIGRed on the CVSS scale
Sometimes finishing with 10 out of 10 points is a reason for celebration. Unfortunately, in this case, things are different. A newly discovered vulnerability in Windows DNS servers, SIGRed has achieved an ominous 10.0 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale. This makes SIGRed one of the most dangerous vulnerabilities that have emerged in recent months. But there’s some good news: A patch was released recently which will be installed automatically via Windows Update. The bad news: SIGRed is 17 years old. It is unlikely that nobody has found and exploited the vulnerability during this time. Now the cat is definitely out of the bag and Windows admins all over the world should hurry to install the appropriate patch.
The vulnerability has been identified by Check Point Research, the analytics and research division of the Israeli security firm. According to analysts, SIGRed can be exploited in DNS server versions from Windows 2003 to 2019. DNS servers based on other operating systems are not affected. If an exploit is successfully applied, the attacker can gain domain admin rights on the DNS server. This means hitting the jackpot in world of cybercrime, it’s as good as it gets. Such a compromised server is in itself a massive threat as manipulated DNS service entries can be used to launch man-in-the-middle attacks. However, attackers can also use the server to elevate rights and access other servers and even higher privileged servers.
The actual vulnerability mechanism is a simple buffer overflow attack. DNS requests are manipulated to trigger the overflow and execute injected code. A detailed description is given on the Check Point Research Blog. To make matters worse, Microsoft classifies SIGRed as wormable. This means that a compromised server can automatically and easily infect other Windows DNS servers in the local network and thus bring an entire network under its control. This shouldn't happen in a well-protected network, as microsegmentation can prevent unnecessary communication. However, firstly, microsegmentation has not yet become common practice by a long chalk, and even if it has been implemented DNS requests are usually external. With the aggressive capability of SIGRed that has been reported, a complete network could be taken over in minutes.
Check Point informed Microsoft of their discovery on May 19. The developers at Microsoft responded in a very short time with the patch “Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350)”. It is recommended to deploy the patch as soon as possible as Check Point analysts believe that skilled attackers have all the information they need to exploit the vulnerability. Admins who cannot install the patch immediately can find several hints for workarounds on the Microsoft website. The simplest solution involves changing a registry entry that limits the size of incoming DNS requests. A description is available here. The workaround is not perfect. Legitimate packages could also be rejected by the restriction, which the requesting DNS client does not know about. Nevertheless, with such a high risk, the potential consequences should be acceptable.
SIGRed has fortunately been discovered and (hopefully) will soon be patched everywhere. Even so, the whole incident is likely to have left many administrators feeling uneasy. DNS servers are by definition always external access and that means they are always a point of vulnerability in any network. There is no way of completely resolving vulnerabilities like SIGRed. The best strategy is damage limitation through clearly defined roles and rights management (to prevent rights escalation), through network segmentation (to stop worm attacks) and through a well-maintained intrusion prevention system (which detects and blocks unusual DNS packets in the LAN).