SIGRed - This is not just another vulnerability

Patch Tuesday for June 2020, saw 123 bugs fixed, including 20 in the “critical” category, for IT departments they will just patch these as business as usual, for our OT customers there will need to be a planned maintenance window and reviews. Nothing new here.

One of the vulnerabilities CVE-2020-1350 was identified by Microsoft as ‘Critical Remote Code Execution’ (RCE) vulnerability in Windows DNS Server, this is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. One of the last time we saw 'wormable’ statement was for RDP vulnerabilities such Bluekeep and DeJaBlue, which we wrote about last year. We all remember the capabilities of EnternalBlue in May 2017 which is more commonly identified as WannaCry.

This latest vulnerability (CVE-2020-1350) in Microsoft’s Domain Name Server (DNS) affects all versions of Windows Server.

We’ll provide details on how you can protect against this threat without rebooting your OT system and incurring any downtime until you're ready to apply the official patch.

How does this affect OT?

Domain Name Service is often described as the “phonebook of the network”, this is used for translating friendly computer hostnames into IP addresses. Because DNS is a core component of any Windows network, this role will often reside on the Domain Controller which holds the Active Directory (AD) database including users, computers and credentials.

On Windows Server, the DNS service runs under ‘system level’ privileges so has full access to the Domain Controller and therefore 'keys to the kingdom'.

SIGRed Image

What is SIGRed?

SIGRed is a critical vulnerability with a CVSS base score of 10.0, the vulnerability can be triggered by a malicious DNS response without the need to be authenticated. This was identified by Checkpoint and responsibly disclosed to Microsoft on the 19th May 2020.

Check Point identified this vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That piece of data can be maliciously crafted to allow adversaries to overwrite areas of memory they're not meant to have access to, ultimately gaining full Remote Code Execution on the compromised device at ‘system level privileges'.

Check Point says Microsoft asked not to publicise too many details of other elements of the technique, including how it bypasses certain security features on Windows Servers. Exploit code is available on Github and other resources at the time of this blog, less than 2 days after public disclosure.

How do I fix this?

The best approach is to patch the vulnerable systems to address the root cause, if this is not possible then a small registry change helps mitigate this risk until the patch is applied. This change doesn’t require a reboot therefore requires no downtime, just the restart of the DNS service. The registry change can be removed once the patch has been applied.

To apply the registry fix, locate the key:

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
2. Find (or create if not present) the DWORD value called: TcpReceivePacketSize
3. Set the value data to: FF00 (hexadecimal) or 65280 (decimal)
4. Then restart the DNS server.

How we protect against cyber threats

At SolutionsPT we help our customers protect against threats with our award-winning class of security and recovery solutions for OT. We continue to closely monitor and follow the ever-evolving cybersecurity threat landscape across industrial environments, to make sure we fully understand what the risks are so that we’re able to support and advise our customers accordingly.

 

Get in touch