Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/20/2020
05:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

SIGRed: What You Should Know About the Windows DNS Server Bug

DNS experts share their thoughts on the wormable vulnerability and explain why it should be a high priority for businesses.

Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.

SIGRed was the standout among 123 CVEs Microsoft fixed as part of its monthly Patch Tuesday rollout. DNS experts say a combination of factors -- including ease of exploitation, severity of an attack, and shift in attacker techniques -- could make this vulnerability dangerous to companies that neglect to patch. It's possible businesses may not know they're exposed until it's too late.

"This is a vulnerability that's serious enough to give somebody access to the host that's actually running the Microsoft DNS Server," says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers, Liu explains.

SIGRed was named for SIG records, which can be used to trigger this vulnerability. Attackers would have to fashion and publish a SIG or RRSIG record on an authoritative DNS server on the Internet. From there, he adds, they would need to make an organization's DNS server look up that record. SIG records are not widely used; however, there are ways to do this. The Check Point researchers who discovered SIGRed found attackers could simply get someone to visit a web page in order to induce the browser into sending a DNS query to a nearby DNS server.

Successful attackers could achieve domain administrator rights and compromise the entire corporate infrastructure. They might launch a botnet running at a high-privilege level inside a number of businesses or use their access as a launch point for further malicious activity. And, as DNS experts point out, they don't need to be sophisticated to pull this off.

"This one is highly exploitable by people who don't need significant technical knowledge," says Rodney Joffe, senior vice president and security CTO at Neustar, who notes the shift to working from home could put businesses at greater risk as attackers target remote employees. Without the protections of corporate offices, it's easier and more appealing for adversaries to break in.

Rather than targeting a large enterprise environment, attackers can now target thousands of employees who need privileged access to do their jobs. They only need to get onto their home networks and move laterally to find someone working on a personal device. This shift, combined with the easily exploitable SIGRed vulnerability, creates "a perfect storm online," Joffe explains.

"From an enterprise point of view, this is one of the top two or three things that need to be patched very, very quickly [from] over the past year," he adds. 

As Check Point researchers point out, this vulnerability could have a severe impact. It's common to find unpatched Windows domain environments, especially domain controllers, and some Internet service providers may have set up their public DNS servers as Windows DNS.

Gotta Patch 'Em All
Large enterprises can't afford to wait until their next patching cycle to apply the fix for SIGRed. Now that it has been disclosed, it's likely attackers are scanning for, and identifying, vulnerable systems online. Applying the fix may not be easy for businesses running Windows DNS Server.

IT admins may run into challenges with computers running DNS servers and domain controllers on the same machine.

"If you have folks running domain controllers, you don't want to be interrupting service on those boxes," Liu says. "People are very sensitive to doing any kind of maintenance on a domain controller if it might impair that box's functionality, since they're so critical to letting people log in and access resources within the domain."

A big problem, especially in legacy environments, is these machines are often overlooked. This vulnerability is 17 years old, meaning there are likely devices that haven't had problems and won't be upgraded because admins don't realize they're running Windows DNS Server. It's these machines that could prove the greatest threat if they aren't patched quickly. 

Joffe advises monitoring all internal traffic for DNS traffic coming from unknown, unidentified, and unexpected Windows machines. In addition to commercial offerings, there's a number of open source and community-based services businesses can use to watch their traffic. He cites Spamhaus, Surbl, Shadowserver, and Dissect Cyber as examples of open source initiatives.

"Please find out what kind of shadow IT, what kind of abandonware, what kind of systems may be carrying data for your enterprise, in your role as a counterparty to the people outside your enterprise," urges Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Do the audit, do the fixing, hire a consultant if you have to, hire an MSSP … find every Windows server doing something at every IP address in your network."

The damage from SIGRed will not come immediately, Vixie says, but in the long term due to organizations that didn't do their due diligence.

Consider a Heterogeneous Infrastructure
SIGRed is an example of how businesses may benefit from a heterogeneous DNS infrastructure, Liu says. If Microsoft's DNS servers forwarded to another type of DNS server without this vulnerability, then an attacker wouldn't be able to exploit SIGRed to compromise them.

"If you go all in with a particular provider or particular technology, you can pay the price," he says. Liu cites the 2016 Dyn DDoS attack as an example of what could happen if an organization puts "all their eggs in one basket." Many of the companies that went down in the Dyn attack solely used Dyn as their DNS infrastructure, he says.

Running a heterogeneous infrastructure may be more onerous compared with only using Windows DNS, Liu says. In his experience, he continues, open source DNS implementations like Bind and Unbound tend to have more security features than Microsoft DNS Server, which historically ran on enterprise WANs and lacks many advanced DNS security features businesses may want for a server that's directly exposed to the Internet.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cricket Liu
50%
50%
Cricket Liu,
User Rank: Apprentice
7/21/2020 | 1:28:22 PM
Make sure your Microsoft DNS Server only forwards
One caveat I forgot to mention: If you forward from your Microsoft DNS Servers to BIND or Unbound or another DNS server not vulnerable to SIGRED, make sure the Microsoft DNS Servers rely entirely on forwarders and don't fall back to querying authoritative DNS servers by themselves--which is what they will do by default.  Just uncheck the "Use root hints if no forwarders are available" box in the DNS Console and your Microsoft DNS Servers won't fall back.  You should also make sure you have firewall ACLs in place preventing your Microsoft DNS Server from communicating with arbitrary IP addresses on the Internet--"belt and suspenders" and all that.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29043
PUBLISHED: 2021-05-17
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle a...
CVE-2021-29044
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary we...
CVE-2021-29045
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPor...
CVE-2021-29046
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortl...
CVE-2021-29053
PUBLISHED: 2021-05-17
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.