Hopefully, you have probably all heard of the "Sigred" vulnerbility in DNS, a security issue which has existed in DNS servers for 17 years. That means that if you run a windows based DNS server you need to patch it ASAP. If you have a windows DNS server facing the internet then you really need to patch it now.
The reason for this blog is to hopefully act as a concise summary of the vulnerbility and the MS patch numbers you need to deploy and check for. Personally, I find Microsoft's security portal a major pain to navigate through and trying to determine which files actually get replaced to fix this vulnerbility is a major headache as it is not longer as simple as that. I hope that this post helps cut through the noise and helps make systems safe from this vulneribility.
The vulnerbility is nicely demostrated by checkpoint software in a video they posted here. In this example, they use the exploit to crash the DNS server but I understand that it can also be used to provide local admin rights as a lot of people run DNS on their AD servers.
There is also https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ which goes into an awesome amount of detail about exactly how this vulneribility works.
In short, the vulnerbility can be fixed in one of two ways:
Option 1 - Deploy the monthly security rollup patch for July 2020. The actual KB number changes depending on your OS version, here is a list:
Windows 2008 32/64 bit SP2 - KB4565536
Windows 2012 Core/GUI - KB4565537
Windows 2012 R2 Core/GUI - KB4565541
Windows 2016 Core/GUI - KB4565511
Windows 2019 build 1903/1909 - KB4565483
Windows 2019 build 2004 - KB4565503
It's worth noting that this patch can trigger a few existing bugs and likely triggers some new ones. The most interesting I've seen so far is https://support.microsoft.com/en-gb/help/4467684 where password errors can occur in the cluster service stating that a password is too short. This appears to occur only if the minimum password length policy is 14 chars or greater.
Another interesting potential side effect is Windows not booting on Fugitsu and Lenovo laptops if they have less than 8GB RAM so worth testing if you use those laptop types.
Option 2 - Change a registry key:
DWORD = TcpReceivePacketSize
Value = 0xFF00
Restart the DNS Server service
The full list of OS'es, patches and more on the registry key can be found on MS site here
The CVE details for the vuln are here
At the time of my writing this blog there is not any proof of concept code. Expect this to change once the patch is reverse engineered.
I will also note that with tools like Shodan out there, it is very easy to find machines on the internet that are likely to be easy to compromise once exploit code is available. This is not a dig at Shodan, on the contrary, shodan perform a vital service to help expose how piss poor some setups are.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox