Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/20/2020
05:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

SIGRed: What You Should Know About the Windows DNS Server Bug

DNS experts share their thoughts on the wormable vulnerability and explain why it should be a high priority for businesses.

Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.

SIGRed was the standout among 123 CVEs Microsoft fixed as part of its monthly Patch Tuesday rollout. DNS experts say a combination of factors -- including ease of exploitation, severity of an attack, and shift in attacker techniques -- could make this vulnerability dangerous to companies that neglect to patch. It's possible businesses may not know they're exposed until it's too late.

"This is a vulnerability that's serious enough to give somebody access to the host that's actually running the Microsoft DNS Server," says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers, Liu explains.

SIGRed was named for SIG records, which can be used to trigger this vulnerability. Attackers would have to fashion and publish a SIG or RRSIG record on an authoritative DNS server on the Internet. From there, he adds, they would need to make an organization's DNS server look up that record. SIG records are not widely used; however, there are ways to do this. The Check Point researchers who discovered SIGRed found attackers could simply get someone to visit a web page in order to induce the browser into sending a DNS query to a nearby DNS server.

Successful attackers could achieve domain administrator rights and compromise the entire corporate infrastructure. They might launch a botnet running at a high-privilege level inside a number of businesses or use their access as a launch point for further malicious activity. And, as DNS experts point out, they don't need to be sophisticated to pull this off.

"This one is highly exploitable by people who don't need significant technical knowledge," says Rodney Joffe, senior vice president and security CTO at Neustar, who notes the shift to working from home could put businesses at greater risk as attackers target remote employees. Without the protections of corporate offices, it's easier and more appealing for adversaries to break in.

Rather than targeting a large enterprise environment, attackers can now target thousands of employees who need privileged access to do their jobs. They only need to get onto their home networks and move laterally to find someone working on a personal device. This shift, combined with the easily exploitable SIGRed vulnerability, creates "a perfect storm online," Joffe explains.

"From an enterprise point of view, this is one of the top two or three things that need to be patched very, very quickly [from] over the past year," he adds. 

As Check Point researchers point out, this vulnerability could have a severe impact. It's common to find unpatched Windows domain environments, especially domain controllers, and some Internet service providers may have set up their public DNS servers as Windows DNS.

Gotta Patch 'Em All
Large enterprises can't afford to wait until their next patching cycle to apply the fix for SIGRed. Now that it has been disclosed, it's likely attackers are scanning for, and identifying, vulnerable systems online. Applying the fix may not be easy for businesses running Windows DNS Server.

IT admins may run into challenges with computers running DNS servers and domain controllers on the same machine.

"If you have folks running domain controllers, you don't want to be interrupting service on those boxes," Liu says. "People are very sensitive to doing any kind of maintenance on a domain controller if it might impair that box's functionality, since they're so critical to letting people log in and access resources within the domain."

A big problem, especially in legacy environments, is these machines are often overlooked. This vulnerability is 17 years old, meaning there are likely devices that haven't had problems and won't be upgraded because admins don't realize they're running Windows DNS Server. It's these machines that could prove the greatest threat if they aren't patched quickly. 

Joffe advises monitoring all internal traffic for DNS traffic coming from unknown, unidentified, and unexpected Windows machines. In addition to commercial offerings, there's a number of open source and community-based services businesses can use to watch their traffic. He cites Spamhaus, Surbl, Shadowserver, and Dissect Cyber as examples of open source initiatives.

"Please find out what kind of shadow IT, what kind of abandonware, what kind of systems may be carrying data for your enterprise, in your role as a counterparty to the people outside your enterprise," urges Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Do the audit, do the fixing, hire a consultant if you have to, hire an MSSP … find every Windows server doing something at every IP address in your network."

The damage from SIGRed will not come immediately, Vixie says, but in the long term due to organizations that didn't do their due diligence.

Consider a Heterogeneous Infrastructure
SIGRed is an example of how businesses may benefit from a heterogeneous DNS infrastructure, Liu says. If Microsoft's DNS servers forwarded to another type of DNS server without this vulnerability, then an attacker wouldn't be able to exploit SIGRed to compromise them.

"If you go all in with a particular provider or particular technology, you can pay the price," he says. Liu cites the 2016 Dyn DDoS attack as an example of what could happen if an organization puts "all their eggs in one basket." Many of the companies that went down in the Dyn attack solely used Dyn as their DNS infrastructure, he says.

Running a heterogeneous infrastructure may be more onerous compared with only using Windows DNS, Liu says. In his experience, he continues, open source DNS implementations like Bind and Unbound tend to have more security features than Microsoft DNS Server, which historically ran on enterprise WANs and lacks many advanced DNS security features businesses may want for a server that's directly exposed to the Internet.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cricket Liu
50%
50%
Cricket Liu,
User Rank: Apprentice
7/21/2020 | 1:28:22 PM
Make sure your Microsoft DNS Server only forwards
One caveat I forgot to mention: If you forward from your Microsoft DNS Servers to BIND or Unbound or another DNS server not vulnerable to SIGRED, make sure the Microsoft DNS Servers rely entirely on forwarders and don't fall back to querying authoritative DNS servers by themselves--which is what they will do by default.  Just uncheck the "Use root hints if no forwarders are available" box in the DNS Console and your Microsoft DNS Servers won't fall back.  You should also make sure you have firewall ACLs in place preventing your Microsoft DNS Server from communicating with arbitrary IP addresses on the Internet--"belt and suspenders" and all that.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26649
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
CVE-2020-26650
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
CVE-2020-27533
PUBLISHED: 2020-10-22
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
CVE-2020-24033
PUBLISHED: 2020-10-22
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escala...
CVE-2020-27560
PUBLISHED: 2020-10-22
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.