See a 10-minute overview of the platform.

Search
Search

Share

Advisory: Critical RCE in Windows DNS – CVE-2020-1350

Windows CVE-2020-1350 aka SIGRed?

This blog explains CVE-2020-1350 aka SIGRed, how to identify if you are vulnerable and what, if anything, you need to do.

What is it?

It’s a vulnerability in all versions of Windows servers that could result in Remote Code Execution, allowing a successful attacker to run unwanted operations on machines which can irreparably damage affected machines by sending a crafted DNS request to the server. The vulnerability has been deemed as ‘wormable’, which means it can be spread between vulnerable machines without user interaction. It can be spread as easily as getting an user to interact with a webpage.

Checkpoint have given a breakdown of how the vulnerability may be exploited, as well as how to protect against it.
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Should I be worried?

Yes, this should be patched and the machines restarted at the earliest opportunity.

What do I need to do?

Edgescan are advising patching at the earliest convenience, when we start seeing SIGRed in the wild on our clients infrastructure, we will be advising them if they are vulnerable.

You should also check your patching for Windows Servers:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

If you can’t immediately apply patches, there is a temporary workaround by editing the maximum length of a DNS message via the registry.
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Here for CVE advisory:

https://nvd.nist.gov/vuln/detail/CVE-2020-1350

Here for the MS Security Response update:

https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/

If you have any concerns please reach out to the Edgescan Team through the usual channels.