Automatically Discover, Prioritize and Remediate Windows DNS Vulnerability (SigRed – CVE-2020-1350) Using Qualys VMDR®

Animesh Jain

Last updated on: August 3, 2020

On July 14, 2020, Microsoft issued a new security advisory on Microsoft Windows Patch Day – addressing CVE-2020-1350, also known as SigRed – a remote code execution vulnerability in Windows Domain Name System (DNS) servers. The security issue has received a critical severity rating score of 10.0 based on CVSS v3.1 Scoring system. 

SigRed affects Windows servers that are configured to run the DNS Server role as described in the advisory.

The Vulnerability

Microsoft mentioned that “it found no evidence to show that the bug has been actively exploited by attackers and advised users to install patches immediately.” Furthermore, it added that the vulnerability has the potential to spread via malware between vulnerable computers without any user interaction. No authentication is mandatory to execute this wormable vulnerability. A nefarious actor who is successful in exploiting this vulnerability could run arbitrary code in the Local System account.

The flaw impacts only Windows DNS servers and not DNS server clients. Check Point Research team members Sagi Tzadik and Eyal Itkin have presented their research to Microsoft and shown it in a video here.

The following components are vulnerable to CVE-2020-1350:

Function: dns.exe!SigWireRead

Vulnerability Type: Integer Overflow leading to Heap-Based Buffer Overflow

Image Source: Check Point

“Without any human interaction or authentication, a single exploit can start a chain reaction that would allow attacks to spread from one vulnerable machine to another,” the researcher said. “This means that a single compromised machine could spread this attack throughout an organization’s network within minutes of the first exploit.”

Affected Windows Products

Windows Server 2004, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019

Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR®

Qualys VMDR, all-in-one vulnerability management, detection and response enables:  

  • Identification of known and unknown hosts running vulnerable Windows servers with DNS service
  • Automatic detection of vulnerabilities and misconfigurations for Windows servers
  • Prioritization of threats based on risk 
  • Integrated patch deployment 

Identification of Windows Assets with DNS Running

The first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with DNS service running

operatingSystem.category1:`Windows` and services.name:`DNS` 

Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say – SIGRED. This helps in automatically grouping existing Windows hosts SIGRED as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform

Discover SIGRED CVE-2020-1350 Vulnerability and Misconfigurations 

Now that the windows hosts with SIGRED are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like SIGRED based on the always-updated Knowledgebase.

You can see all your impacted hosts for this vulnerability tagged with the ‘SIGRED’ asset tag in the vulnerabilities view by using QQL query:

vulnerabilities.vulnerability.qid: 91662

This will return a list of all impacted hosts.

Along with the QID 91662, Qualys released the following IG QID 45451 to help customers track assets on which they have the mitigation applied. This QID can be detected using authenticated scanning or the Qualys Cloud Agent.

QID 45451: Microsoft KB4569509 Mitigation Guidance for DNS Server Applied (CVE-2020-1350). 

These QIDs are included in signature version VULNSIGS-2.4.942-2 and above.

Using VMDR, QID 91662 can be prioritized for the following RTIs:

  • Remote Code Execution
  • Unauthenticated Exploitation
  • Public Exploit
  • Denial of Service
  • Easy Exploit
  • High Data Loss
  • Wormable
  • Predicted High Risk
  • Privilege Escalation
  • High Lateral Movement

VMDR also enables you to stay on top of these threats proactively via the ‘live feed’ provided for threat prioritization. With ‘live feed’ updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.  

Simply click on the impacted assets for the SIGRED threat feed to see the vulnerability and impacted host details. 

With VM Dashboard, you can track SIGRED, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of SIGRED vulnerability trends in your environment using Microsoft SIGRED RCE Vulnerability Dashboard.

Configuration management adds context to overall vulnerability management

To reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SIGRED RCE vulnerability.  

With the Qualys Policy Compliance module of VMDR, you can automatically discover the status of the ‘DNS’ service and if they have misconfigurations in context to the SIGRED vulnerability. 

  • Qualys configuration ID – 18935 “Status of the ‘TcpReceivePacketSize’ parameter within the ‘HKLM\System\CurrentControlSet\Services\DNS\Parameters’ registry key” would be evaluated against all Windows DNS servers as shown below

Risk-Based Prioritization of SIGRED RCE Vulnerability 

Now that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk.  

High Risk:  

  • Hosts with DNS enabled and patch or workaround not applied are at high risk. 
  • If due to business reasons it is not possible to apply the patch on the hosts for which CVE-2020-1350 is detected. Customers can check for misconfigurations (CID 18935 controls are failing) as shown below. 

Medium Risk: 

  • Hosts with DNS enabled for which CVE-2020-1350 is detected, however, the configuration 18935 is detected as hardened are at medium risk.

Response by Patching and Remediation 

VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select “cve:`CVE-2020-1350`” in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag – SIGRED. 

For proactive, continuous patching, you can create a daily job with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities. 

Users are encouraged to apply patches as soon as possible.

In cases where due to business reasons it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running DNS Windows servers as provided in Qualys Policy Compliance by applying the following workarounds:

Workarounds

Registry modification

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

DWORD = TcpReceivePacketSize

Value = 0xFF00

Note: You must restart the DNS Service for the workaround to take effect.

Get Started Now

Start your Qualys VMDR trial for automatically identifying, detecting and patching critical SIGRED RCE vulnerability CVE-2020-1350.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *