Critical SIGred Windows DNS bug gets micropatch after PoCs released

The critical remote code execution security vulnerability in Windows DNS known as SIGRed has received a micropatch for servers without an Extended Security Updates (ESU) license.

SIGRed can be exploited in a wormable fashion, allowing an adversary to expand their attack to all affected systems on the network without user interaction. It received the tracking number CVE-2020-1350 and the maximum severity score, 10 out of 10.

Discovered and reported responsibly to Microsoft by Sagi Tzadik and Eyal Itkin from Check Point Research, SIGRed stems from a flaw in how Microsoft implemented the DNS server role and affects all Windows DNS server versions starting 2003.

DoS exploits available

Microsoft stopped support for Windows Server 2008, providing security updates only to customers with an ESU license but these systems are still in use. A patch for 2012 versions is available through regular updates.

Proof-of-concept (PoC) scripts that trigger the vulnerability and create a denial-of-service condition are already publicly available (12). It is safe to assume that a reliable exploit to achieve remote code execution is in the works.

The 0patch platform from Acros Security has been updated this week with corrective instructions to protect against SIGRed. The fix is delivered in memory and no system restart is necessary.

Mitja Kolsek, 0Patch co-founder, says that a micropatch is currently available to Pro customers of the platform running Windows Server 2008 machines with no security updates from Microsoft. The fix was modeled after the PoC from Max Van Amerongen of F-Secure.

Micropatch logs exploits attempts

Kolsek says that the official patch had three integer overflow/underflow checks, “for one subtraction and two addition operations.” The micropatch is similar but also detects logs and shows an exploit attempt when detecting the over/underflow.

“Our micropatch does logically the same, with one difference – when integer overflow/underflow is detected, it also displays and logs an exploit attempt, allowing admins to know that their server was targeted by an exploit” – Mitja Kolsek

The micropatch is available clients with a 0Patch PRO subscription that run Windows Server 2008 R2. The plan is to port it for version 2003 of the server.

A video published on Friday shows how Windows DNS systems react to a SIGRed attack with and without the micropatch:

[embedded content]

Source: BleepingComputer

Leave a Reply