'SigRed' alert: Experts urge action on Windows DNS vulnerability

Experts are urging organizations to immediately patch a dangerous DNS vulnerability known as SigRed after proof-of-concept exploits have emerged on the internet.

SigRed, a 17-year-old Windows DNS server vulnerability that was assigned a CVSS score of 10.0 was discovered by Check Point Research. In response, Microsoft released a patch Tuesday.

"SigRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response," Check Point's blog post on the vulnerability reads. "As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure."

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) released an advisory Thursday directing users and administrators to "review Microsoft's Security Advisory and Blog for more information, and apply the necessary update and workaround" by 2 p.m. EST Friday.

CISA director Christopher Krebs said in a blog post Thursday that it was critical for agencies to patch SigRed or implement a mitigation within 24 hours. "Though we are not aware of active exploitation, it is only a matter of time for an exploit to be created for this vulnerability," he wrote.

Johannes Ullrich of the SANS Institute's Internet Storm Center noted Thursday that there is at least one "real" proof-of-concept (PoC) exploit for SigRed available online, and while it doesn't execute code on target systems, he said it could cause DNS servers to crash. Additional PoC exploits have been discovered online, though their effectiveness has not been verified.

Ullrich told SearchSecurity that this vulnerability offers the potential to break entire network architectures.

"The problem is that it potentially allows a remote code execution on the DNS server, which is in itself bad but often the DNS server in the Windows architecture is running on your domain controller, which is the keys to the kingdom, so owning the domain server often means owning of the network," he said. " This vulnerability can potentially break entire network architectures that are built around the standard Windows setup."

Paul Vixie, developer of the DNS protocol and founder and CEO at Farsight Security, argued that the level of attention CVE-2020-1350 received is appropriate because of the nature of DNS architecture and the wormable capability of the flaw.

"When you're talking about remote code execution and you're talking about elevated privilege, that gives you a CVSS score of a perfect 10. It is not possible to measure the risk of a vulnerability as being higher than this," Vixie said, adding that entire network infrastructure can be disrupted by infecting one PC inside an environment. "Once you can do that, you can cause the Sig query to be made and then you can cause an adjacent infection in addition to the one you entered the network with," he said. "So, this is important."

However, Vixie added that the "true importance" of SigRed probably won't be known for a while.