Critical Windows DNS Server Vulnerability Patched, Update Now

Summary

Microsoft released a patch to address CVE-2020-1350, a remote code execution vulnerability in Windows DNS Server. Exploiting the vulnerability, dubbed “SIGRed,” could allow a threat actor to gain Domain Administrator rights over the server and compromise an entire network infrastructure.

The critical vulnerability is the result of a flaw in the way Windows DNS Server parses an incoming DNS query and the way it responds to a forwarded DNS query. A threat actor could take full control of a server by causing a malicious DNS query to trigger a heap-based buffer overflow. This is considered a “wormable” vulnerability, which means it has the potential to enable malware to spread across systems on a network without user interaction.

Recommendations

The NJCCIC recommends administrators update systems as soon as possible after appropriate testing. If patching is not feasible, apply the workaround provided by Microsoft. Microsoft provides additional information in their blog post and advisory, and Checkpoint provides a technical details and analysis on the SIGRed vulnerability in their research post.