Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:55 PM
Connect Directly

SIGRed: What You Should Know About the Windows DNS Server Bug

DNS experts share their thoughts on the wormable vulnerability and explain why it should be a high priority for businesses.

Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.

SIGRed was the standout among 123 CVEs Microsoft fixed as part of its monthly Patch Tuesday rollout. DNS experts say a combination of factors -- including ease of exploitation, severity of an attack, and shift in attacker techniques -- could make this vulnerability dangerous to companies that neglect to patch. It's possible businesses may not know they're exposed until it's too late.

"This is a vulnerability that's serious enough to give somebody access to the host that's actually running the Microsoft DNS Server," says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers, Liu explains.

SIGRed was named for SIG records, which can be used to trigger this vulnerability. Attackers would have to fashion and publish a SIG or RRSIG record on an authoritative DNS server on the Internet. From there, he adds, they would need to make an organization's DNS server look up that record. SIG records are not widely used; however, there are ways to do this. The Check Point researchers who discovered SIGRed found attackers could simply get someone to visit a web page in order to induce the browser into sending a DNS query to a nearby DNS server.

Successful attackers could achieve domain administrator rights and compromise the entire corporate infrastructure. They might launch a botnet running at a high-privilege level inside a number of businesses or use their access as a launch point for further malicious activity. And, as DNS experts point out, they don't need to be sophisticated to pull this off.

"This one is highly exploitable by people who don't need significant technical knowledge," says Rodney Joffe, senior vice president and security CTO at Neustar, who notes the shift to working from home could put businesses at greater risk as attackers target remote employees. Without the protections of corporate offices, it's easier and more appealing for adversaries to break in.

Rather than targeting a large enterprise environment, attackers can now target thousands of employees who need privileged access to do their jobs. They only need to get onto their home networks and move laterally to find someone working on a personal device. This shift, combined with the easily exploitable SIGRed vulnerability, creates "a perfect storm online," Joffe explains.

"From an enterprise point of view, this is one of the top two or three things that need to be patched very, very quickly [from] over the past year," he adds. 

As Check Point researchers point out, this vulnerability could have a severe impact. It's common to find unpatched Windows domain environments, especially domain controllers, and some Internet service providers may have set up their public DNS servers as Windows DNS.

Gotta Patch 'Em All
Large enterprises can't afford to wait until their next patching cycle to apply the fix for SIGRed. Now that it has been disclosed, it's likely attackers are scanning for, and identifying, vulnerable systems online. Applying the fix may not be easy for businesses running Windows DNS Server.

IT admins may run into challenges with computers running DNS servers and domain controllers on the same machine.

"If you have folks running domain controllers, you don't want to be interrupting service on those boxes," Liu says. "People are very sensitive to doing any kind of maintenance on a domain controller if it might impair that box's functionality, since they're so critical to letting people log in and access resources within the domain."

A big problem, especially in legacy environments, is these machines are often overlooked. This vulnerability is 17 years old, meaning there are likely devices that haven't had problems and won't be upgraded because admins don't realize they're running Windows DNS Server. It's these machines that could prove the greatest threat if they aren't patched quickly. 

Joffe advises monitoring all internal traffic for DNS traffic coming from unknown, unidentified, and unexpected Windows machines. In addition to commercial offerings, there's a number of open source and community-based services businesses can use to watch their traffic. He cites Spamhaus, Surbl, Shadowserver, and Dissect Cyber as examples of open source initiatives.

"Please find out what kind of shadow IT, what kind of abandonware, what kind of systems may be carrying data for your enterprise, in your role as a counterparty to the people outside your enterprise," urges Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Do the audit, do the fixing, hire a consultant if you have to, hire an MSSP … find every Windows server doing something at every IP address in your network."

The damage from SIGRed will not come immediately, Vixie says, but in the long term due to organizations that didn't do their due diligence.

Consider a Heterogeneous Infrastructure
SIGRed is an example of how businesses may benefit from a heterogeneous DNS infrastructure, Liu says. If Microsoft's DNS servers forwarded to another type of DNS server without this vulnerability, then an attacker wouldn't be able to exploit SIGRed to compromise them.

"If you go all in with a particular provider or particular technology, you can pay the price," he says. Liu cites the 2016 Dyn DDoS attack as an example of what could happen if an organization puts "all their eggs in one basket." Many of the companies that went down in the Dyn attack solely used Dyn as their DNS infrastructure, he says.

Running a heterogeneous infrastructure may be more onerous compared with only using Windows DNS, Liu says. In his experience, he continues, open source DNS implementations like Bind and Unbound tend to have more security features than Microsoft DNS Server, which historically ran on enterprise WANs and lacks many advanced DNS security features businesses may want for a server that's directly exposed to the Internet.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cricket Liu
Cricket Liu,
User Rank: Apprentice
7/21/2020 | 1:28:22 PM
Make sure your Microsoft DNS Server only forwards
One caveat I forgot to mention: If you forward from your Microsoft DNS Servers to BIND or Unbound or another DNS server not vulnerable to SIGRED, make sure the Microsoft DNS Servers rely entirely on forwarders and don't fall back to querying authoritative DNS servers by themselves--which is what they will do by default.  Just uncheck the "Use root hints if no forwarders are available" box in the DNS Console and your Microsoft DNS Servers won't fall back.  You should also make sure you have firewall ACLs in place preventing your Microsoft DNS Server from communicating with arbitrary IP addresses on the Internet--"belt and suspenders" and all that.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.