July 14th marked a very important patch rollout for Windows DNS Servers. CVE-2020-1350 (aka SIGRed) is a wormable, critical vulnerability in the Windows DNS server application which, if exploited, can give an attacker Domain Administrator rights in your network. It is possible to exploit this vulnerability with large, specially crafted responses from a malicious nameserver, even with a properly secured DNS architecture.
A demonstration of this exploit was conducted on a Windows 2012R2 server, but it is said to affect all current versions of Windows Server up through 2019 and is a 10/10 critical vulnerability for any network relying on Windows DNS. Research resource.
Given the upward trend in ransomware attacks which first target and prioritize acquiring Domain Controller credentials, SecuLore is especially concerned for our clients in public safety. For those who may not be able to apply the patch immediately, Microsoft has issued a no-downtime registry edit workaround which mitigates the vulnerability by decreasing the maximum TCP DNS transaction size below the 64KB threshold required to trigger the exploit. Microsoft’s workaround.
SecuLore Support Team