Description: On Tuesday, July 14 Microsoft released a patch for CVE-2020-1350, a 17-year-old critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that Microsoft’s Security Response Center classified as a wormable vulnerability. CVE-2020-1350, code-named “SigRed,” carries a CVSSv3 base score of 10.0 and results from a flaw in Microsoft’s DNS server role implementation that can be triggered by a malicious DNS response. According to Check Point Research, the security firm who discovered the vulnerability, successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure.
The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours—notably only the third time CISA’s current director has taken such an action. A public denial of service (DoS) exploit was released on July 15.
Rapid7’s Labs team found roughly 50,000 Microsoft DNS servers in UDP and TCP DNS scans in early July. A Sigma rule to detect exploitation is available from Florian Roth here. Roth has asked for reports of false positives.
Affected products include: CVE-2020-1350 affects all Windows Server versions (2003 to 2019) running a Windows DNS server. Non-Microsoft DNS Servers are not affected.
Rapid7 analysis: During a month of competing CVSS 10 vulnerabilities, CVE-2020-1350 stands out both because of the prevalence of Windows DNS servers and because of Microsoft’s warnings on wormability—warnings that the research community has speculated likely stem from private proof of exploitability. As of July 20, 2020, there have been no reports of exploitation in the wild, but with a patch widely available and a DoS proof-of-concept publicly accessible, we expect active exploitation shortly. As with any vulnerability known to be wormable, CVE-2020-1350 will make an attractive target for ransomware campaigns in addition to stealthier threat actors. Rapid7’s blog on CVE-2020-1350 discusses exploitation scenarios along with internet exposure of Windows DNS servers, but because the exploitation path can even be invoked from a trusted client passively making a query to a malicious domain, even limiting access of the Windows DNS service is not a mitigation for this vulnerability.
Guidance: We reinforce CISA’s urgent guidance to those who have Windows servers running DNS: Patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible.
