Leads to Full Compromise

SIGRed (CVE-2020-1350) Affects ALL Windows DNS Servers

Organizations are strongly recommended and encouraged to apply this workaround as soon as possible in order to avoid catastrophic events.

SIGRed is a wormable vulnerability with a CVSSv3 score of 10.0, the highest, and triggered by a malicious DNS request. Wormable means that the exploitation can succeed and spread without user interaction, making it much more dangerous. The Domain Controllers host the Domain Name System and are most susceptible to this vulnerability.

It is important to note that SIGRed is the second Windows wormable vulnerability discovered in 2020, after the known SMBGhost CVE-2020-0796 of the last March affecting Microsoft Server Message Block 3.1.1.

It is very likely expected to see a weaponization, or practical exploit, of these vulnerabilities in the near future, meaning updates, patches and workarounds should be applied immediately!

Cause

The DNS service runs as an elevated user with high level of permissions, giving an attacker direct administrative control over the server. The vulnerability lies in an improper handling of certain types of DNS responses. For a better understanding of how DNS works, here you can find a good summary from Cloudflare.

The research and detailed explanation is published by Checkpoint Research but as a short summary, the DNS SIG packets, used for carrying a signature for DNSSEC, can be manipulated. The size of the packet is stored in a 16 bits field, an integer overflow occurs in case of packets of sizes bigger than 65535 bytes.

At this point, the integer resets and causes a shorter memory allocation than the actual data, causing a heap overflow. From this point onward, the researchers at Checkpoint identified the various primitives needed to complete the chain. It is just a matter of time until motivated attackers will finalize a practical working exploit.

Solution

As of today, July 15, 2020, patches are available by Microsoft for the CVE-2020-1350 but if those are not possible to apply, there is a temporary workaround solution. Microsoft also released patches for unsupported systems like the old Windows Server 2008, to prevent them from being compromised.

This involves a registry key modification in order to restrict DNS TCP response packets of a size larger than (0xFF00) or 65280 bytes.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters
 
DWORD = TcpReceivePacketSize 
Value = 0xFF00

The DNS service needs then to be restarted.

Organizations are strongly recommended and encouraged to apply the mentioned workaround or the relative patches as soon as possible in order to avoid catastrophic events to happen.