A critical vulnerability tracked as (CVE-2020-1350) affecting Windows Server versions 2003 to 2019 has been patched after being in the system’s code for almost 17 years. Also known as SigRed, the 17-year-old ‘wormable’ remote code execution (RCE) vulnerability could propagate itself across vulnerable machines in a network without the need of a user’s interaction, allowing other threats to spread in the target’s infrastructure.
A remote attacker may exploit the flaw by sending specially crafted malicious DNS queries to a targeted Windows DNS server and if successful, could grant attackers administrator privileges over the targeted server and compromise the entire organization’s network. A compromised DNS server could enable attackers to intercept and manipulate users’ emails and network traffic, make services unavailable, and harvest users’ credentials.
Microsoft stated it is not aware of active exploitation in the wild but stressed the utmost importance to apply the security patch that addresses the vulnerability or apply any measures to temporarily disable further exploitation.
Windows Server versions 2003 to 2019
CERT-PH recommends the following actions be taken:
Install the latest security updates from Microsoft as part of their July 2020 Patch Tuesday release which addressed the said vulnerability.
However, if patching is not possible at the moment, the company and security researchers who discovered the vulnerability suggested making a registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed as a temporary workaround, using the following command:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS