Wednesday, July 15, 2020

SigRed (CVE-2020-1350) Registry Workaround

Security researchers at Check Point discovered a critical security flaw in Microsoft DNS servers. The flaw allows remote code execution attacks which leads to the total compromise of the server. The DNS server role is often bundled in Enterprise Domain Controllers in corporate environments. Hence, the exploitation allows an unauthenticated, remote attacker to gain domain administrator privileges and seize complete control of an organization's IT infrastructure. The flaw is named 'SigRed' by Check Point and assigned the CVE-2020-1350 with a CVSS base score of 10. The flaw is wormable, meaning a single exploit of the issue can trigger a chain reaction that allows attacks to spread from one computer to another.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

    The Default (also max) Value = 0xFFFF
    The Recommended Value = 0xFF00 (255 bytes less than the max)

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

Reference:
[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
[2] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

0 comments: