We’ve been made aware of a significant vulnerability affecting Microsoft DNS Servers, affecting versions from 2003 -2019. This was discovered and disclosed by the Check Point Incident Response Team.
What we know so far
Dubbed ‘SigRed’ by Check Point, with a CVSS score of 10.0, Reference (CVE-2020-1350) this critical remote code execution (RCE) vulnerability could allow an unauthenticated remote threat actor to gain domain administrator privileges and potentially obtain complete control of an organisations infrastructure. this vulnerability occurs when a windows domain name system (DNS) server fails to properly handle a request. This can be leveraged to craft malicious DNS responses.
Additionally this vulnerability has the potential to spread via malware between vulnerable computers without user interaction. According to Microsoft’s vulnerability release:
“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.
Are any other non-Microsoft DNS server implementations impacted by this vulnerability?
The vulnerability stems from a flaw in Microsoft’s DNS server implementation and is not the result of a protocol level flaw, so it does not affect any other non-Microsoft DNS server implementations.
Under what circumstances would I consider using the registry key workaround?
Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possbile to protect your environment in the time before you install the updates."
This vulnerability only affects the server DNS implementation, the DNS client is not affected.
What can customers do about it?
We are recommending customers upgrade to the latest version (released as of last Patch Tuesday) however if patching is not possible, we recommend the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
· The Default (also max) Value = 0xFFFF
· The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
This will cause TCP based DNS response packets that exceed the recommended value to be dropped without error, so that some queries may not be answered.