1300 Firewall

Here’s how to address SIGRed — the new Windows DNS Server exploit

Article Top Background
15 Jul 2020

Since WANNACRY AND NotPetya, security researchers have heavily scrutinised new Windows bugs that could be potentially be used to create a similar worm. One potentially wormable vulnerability has appeared in Microsoft’s Windows DNS Server.

Check Point’s Research Team discovered a new vulnerability — SIGRed (CVE-2020-1350) — in the Windows DNS server. SIGRed affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response.

Critically, SigRed is wormable, meaning that a single exploit can cause a chain reaction, allowing attacks to spread through a network without any action by the user. In short, successful exploitation of this vulnerability would grant an attacker Domain Admin rights, effectively compromising the entire corporate infrastructure.

Check Point and Microsoft warn that the flaw is critical, with a CVE of 10 out of 10 on the common vulnerability and exposures scoring system — an industry-standard severity rating.

What Should You Do To Mitigate This Threat?

Seccom Global recommend you look to patch your systems quickly. Microsoft released a patch yesterday that should be implemented as soon as possible.

Check Point has also recommended a temporary workaround until the patch is applied: set the maximum length of a DNS message (over TCP) to 0xFF00. This should eliminate the vulnerability.

Important Information & Links

1. Visit the Check Point Research site here.
2. For a detailed conversation, you can join the Check Point Team for a webinar here.
3. To see the Microsoft Security Response Centre Update click here.
4. For the Microsoft Update: Workaround, click here.