Microsoft has disclosed a 17-year-old wormable vulnerability in Windows DNS servers. The flaw, known as SIGRed (CVE-2020-1350), affects versions 2003 to 2019 and can be triggered by a malicious DNS response. If exploited, a malicious actor could gain Domain Administrator rights, and compromise the entire corporate infrastructure. Once in, the attacker can seize and manipulate users’ emails and network traffic, disrupt and disable services, steal credentials and so forth.

We strongly advise to apply patches as soon as possible. If applying the update is not practical, a  registry-based workaround is available  which does not require restarting the server.

The vulnerability exists in the Windows DNS servers when they fail to properly handle requests; the update addresses this by modifying how requests are handled. While there is no evidence that the vulnerability has been exploited to date, Microsoft has assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS), the most severe rating possible. Researchers claim there is a high chance of exploitation after finding all of the primitives needed to exploit the bug, meaning a determined attacker could do the same.

Therefore, it is crucial you;

  1. Check and make sure you can patch all Windows DNS servers with the relevant patch as defined here, in order to prevent the exploitation of this vulnerability.
  2. Review any firewall rules that allow external traffic over Port 53 to your internal DNS resolvers as this would significantly increase the attack surface area.