Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/20/2020
05:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

SIGRed: What You Should Know About the Windows DNS Server Bug

DNS experts share their thoughts on the wormable vulnerability and explain why it should be a high priority for businesses.

Last week Microsoft patched SIGRed, a critical and wormable vulnerability in the Windows DNS Server that affects Windows Server versions 2013 to 2019. CVE-2020-1350, which has a CVSS base score of 10.0, should be a top priority for any environment running Windows DNS Server.

SIGRed was the standout among 123 CVEs Microsoft fixed as part of its monthly Patch Tuesday rollout. DNS experts say a combination of factors -- including ease of exploitation, severity of an attack, and shift in attacker techniques -- could make this vulnerability dangerous to companies that neglect to patch. It's possible businesses may not know they're exposed until it's too late.

"This is a vulnerability that's serious enough to give somebody access to the host that's actually running the Microsoft DNS Server," says Cricket Liu, chief DNS architect at Infoblox. This host is often the domain controller, he says. If attackers gain access to a domain controller and a target organization has an extensive DNS infrastructure based on Windows DNS Server, they could potentially propagate from the initial host to all internal domain controllers, Liu explains.

SIGRed was named for SIG records, which can be used to trigger this vulnerability. Attackers would have to fashion and publish a SIG or RRSIG record on an authoritative DNS server on the Internet. From there, he adds, they would need to make an organization's DNS server look up that record. SIG records are not widely used; however, there are ways to do this. The Check Point researchers who discovered SIGRed found attackers could simply get someone to visit a web page in order to induce the browser into sending a DNS query to a nearby DNS server.

Successful attackers could achieve domain administrator rights and compromise the entire corporate infrastructure. They might launch a botnet running at a high-privilege level inside a number of businesses or use their access as a launch point for further malicious activity. And, as DNS experts point out, they don't need to be sophisticated to pull this off.

"This one is highly exploitable by people who don't need significant technical knowledge," says Rodney Joffe, senior vice president and security CTO at Neustar, who notes the shift to working from home could put businesses at greater risk as attackers target remote employees. Without the protections of corporate offices, it's easier and more appealing for adversaries to break in.

Rather than targeting a large enterprise environment, attackers can now target thousands of employees who need privileged access to do their jobs. They only need to get onto their home networks and move laterally to find someone working on a personal device. This shift, combined with the easily exploitable SIGRed vulnerability, creates "a perfect storm online," Joffe explains.

"From an enterprise point of view, this is one of the top two or three things that need to be patched very, very quickly [from] over the past year," he adds. 

As Check Point researchers point out, this vulnerability could have a severe impact. It's common to find unpatched Windows domain environments, especially domain controllers, and some Internet service providers may have set up their public DNS servers as Windows DNS.

Gotta Patch 'Em All
Large enterprises can't afford to wait until their next patching cycle to apply the fix for SIGRed. Now that it has been disclosed, it's likely attackers are scanning for, and identifying, vulnerable systems online. Applying the fix may not be easy for businesses running Windows DNS Server.

IT admins may run into challenges with computers running DNS servers and domain controllers on the same machine.

"If you have folks running domain controllers, you don't want to be interrupting service on those boxes," Liu says. "People are very sensitive to doing any kind of maintenance on a domain controller if it might impair that box's functionality, since they're so critical to letting people log in and access resources within the domain."

A big problem, especially in legacy environments, is these machines are often overlooked. This vulnerability is 17 years old, meaning there are likely devices that haven't had problems and won't be upgraded because admins don't realize they're running Windows DNS Server. It's these machines that could prove the greatest threat if they aren't patched quickly. 

Joffe advises monitoring all internal traffic for DNS traffic coming from unknown, unidentified, and unexpected Windows machines. In addition to commercial offerings, there's a number of open source and community-based services businesses can use to watch their traffic. He cites Spamhaus, Surbl, Shadowserver, and Dissect Cyber as examples of open source initiatives.

"Please find out what kind of shadow IT, what kind of abandonware, what kind of systems may be carrying data for your enterprise, in your role as a counterparty to the people outside your enterprise," urges Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Do the audit, do the fixing, hire a consultant if you have to, hire an MSSP … find every Windows server doing something at every IP address in your network."

The damage from SIGRed will not come immediately, Vixie says, but in the long term due to organizations that didn't do their due diligence.

Consider a Heterogeneous Infrastructure
SIGRed is an example of how businesses may benefit from a heterogeneous DNS infrastructure, Liu says. If Microsoft's DNS servers forwarded to another type of DNS server without this vulnerability, then an attacker wouldn't be able to exploit SIGRed to compromise them.

"If you go all in with a particular provider or particular technology, you can pay the price," he says. Liu cites the 2016 Dyn DDoS attack as an example of what could happen if an organization puts "all their eggs in one basket." Many of the companies that went down in the Dyn attack solely used Dyn as their DNS infrastructure, he says.

Running a heterogeneous infrastructure may be more onerous compared with only using Windows DNS, Liu says. In his experience, he continues, open source DNS implementations like Bind and Unbound tend to have more security features than Microsoft DNS Server, which historically ran on enterprise WANs and lacks many advanced DNS security features businesses may want for a server that's directly exposed to the Internet.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cricket Liu
50%
50%
Cricket Liu,
User Rank: Apprentice
7/21/2020 | 1:28:22 PM
Make sure your Microsoft DNS Server only forwards
One caveat I forgot to mention: If you forward from your Microsoft DNS Servers to BIND or Unbound or another DNS server not vulnerable to SIGRED, make sure the Microsoft DNS Servers rely entirely on forwarders and don't fall back to querying authoritative DNS servers by themselves--which is what they will do by default.  Just uncheck the "Use root hints if no forwarders are available" box in the DNS Console and your Microsoft DNS Servers won't fall back.  You should also make sure you have firewall ACLs in place preventing your Microsoft DNS Server from communicating with arbitrary IP addresses on the Internet--"belt and suspenders" and all that.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183