Windows CVE-2020-1350 aka SIGRed?
This blog explains CVE-2020-1350 aka SIGRed, how to identify if you are vulnerable and what, if anything, you need to do.
What is it?
It’s a vulnerability in all versions of Windows servers that could result in Remote Code Execution, allowing a successful attacker to run unwanted operations on machines which can irreparably damage affected machines by sending a crafted DNS request to the server. The vulnerability has been deemed as ‘wormable’, which means it can be spread between vulnerable machines without user interaction. It can be spread as easily as getting an user to interact with a webpage.
Checkpoint have given a breakdown of how the vulnerability may be exploited, as well as how to protect against it.
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
Should I be worried?
Yes, this should be patched and the machines restarted at the earliest opportunity.
What do I need to do?
Edgescan are advising patching at the earliest convenience, when we start seeing SIGRed in the wild on our clients infrastructure, we will be advising them if they are vulnerable.
You should also check your patching for Windows Servers:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
If you can’t immediately apply patches, there is a temporary workaround by editing the maximum length of a DNS message via the registry.
https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
Here for CVE advisory:
https://nvd.nist.gov/vuln/detail/CVE-2020-1350
Here for the MS Security Response update:
If you have any concerns please reach out to the Edgescan Team through the usual channels.