• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Threats

Cisco Umbrella protects against SIGRed, CVE-2020-1350

By Robbie Grue
July 17, 2020

Share

Facebook0Tweet0LinkedIn0

“Patch Tuesday” this week was more exciting than usual! On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows DNS servers that are configured to run the DNS server role. Even if you stop reading now, we strongly recommend that server administrators apply this security update as soon as possible.

Let’s get to the important facts first.

What is CVE-2020-1350?

AKA SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019. It can be triggered by a malicious DNS response. Since the service uses (SYSTEM) a.k.a. elevated privileges, if the vulnerability is exploited successfully, an attacker is granted Domain Administrator rights. This essentially gives them the keys to the kingdom to compromise a victim’s corporate infrastructure.

If I’m an Umbrella customer, am I protected?

Yes! Any customers of Cisco Umbrella who have configured their Microsoft DNS servers to forward to our resolvers are protected against CVE-2020-1350. If you’re not an existing Cisco Umbrella customer, perhaps this is a good time to check us out. Find out more about our recursive DNS services here.

Since March 2020, the Cisco Umbrella resolvers have returned REFUSED in response to a DNS query for the SIG query type, the query type that CVE-2020-1350 is exploiting. With the announcement of CVE-2020-1350, we’ve also taken steps to decompress any SIG records that could be included in queries for other record types (for example, a query for an ANY record will return all records for that name, including a SIG record). Decompressing the record mitigates CVE-2020-1350 because the maximum size of the record is now too small to trigger the vulnerability.

That said, this isn’t a substitute for applying the Microsoft patch. Cisco Umbrella can only protect queries sent to our resolvers, and we can’t guarantee that a given Microsoft DNS service isn’t configured to receive responses from other sources.

What is a SIG record? 

Acronyms are confusing, right? Here at Cisco, we often use SIG to refer to our Cisco Umbrella secure internet gateway (SIG) package. Let’s be clear: this is not that. In this case, a SIG record refers to the “signature record” defined in early attempts at DNS security that contains the cryptographic signatures (see RFC 2931 and RFC2930 for the details). These early attempts at DNS security were largely abandoned, and SIG is now considered obsolete.

Who is vulnerable?

90% of malware uses DNS in attacks. But in this case, only the Windows DNS server application is vulnerable to CVE-2020-1350. Why? It’s because this exploit makes use of specific flaws in Microsoft’s DNS server application. The Cisco Umbrella resolvers use a custom-built DNS resolver, so they are able to properly handle SIG responses. As such, the Cisco Umbrella resolvers are not themselves vulnerable to CVE-2020-1350.

Back up —  I need a DNS refresher!

The domain name system (DNS) is sometimes referred to as the “phone book” of the internet. You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com. DNS was invented for people like me! People that can’t remember long IP address numbers (like phone numbers) would prefer to look up websites by human-friendly names like umbrella.cisco.com instead. DNS servers power a website directory service to make things easier for humans. Some other stuff you should know to help make sense of this vulnerability: 

  • DNS operates over User Datagram Protocol (UDP) / Transmission Control Protocol (TCP) port 53.
  • A single DNS (response / query) is limited to 65,535 bytes.
  • DNS is hierarchical. If a DNS server doesn’t know the answer to a query it receives, the query is forwarded to a DNS server above it in the hierarchy. There are 13 root DNS server names worldwide.

The DNS system is so important that we often refer to it as the foundation of the internet. If your recursive DNS service breaks for some reason, you won’t be able to connect to websites unless you type in the IP addresses directly. If the recursive DNS service you use is working, but has been compromised (like this exploit), then your connection to websites won’t be your only problem!

Want to learn more? Read our blog that discusses DNS-layer security in detail, or learn about the differences between authoritative and recursive DNS servers.

The odds for exploitation are high

Is this risky? Yes! Odds are that this could be very dangerous and result in massive exposure if left unpatched. At the time of writing this blog, we have not seen this attack in the wild, but the likelihood of this vulnerability being exploited is high. Successful exploitation of this vulnerability could result in worst case scenarios ranging from data theft, breaches, loss of intellectual IP, exposure of sensitive enterprise or medical data, and more. Translation: it’s bad. 

The Cisco Umbrella team is actively monitoring for exploitation of this new vulnerability and will block any domains discovered. If you discover a domain attempting to abuse this technique, please let us know by contacting our Support team at https://support.umbrella.com or via email at <umbrella-support@cisco.com>.

We will continue to monitor this situation closely. We strongly recommend that users should patch their affected Windows DNS Servers in order to prevent any exploitation of this vulnerability. 

About Cisco Umbrella

Cisco Umbrella is a cloud-delivered security service that helps you secure internet access and control cloud app usage across your network, branch offices, and roaming users. Umbrella unifies DNS-layer protection, secure web gateway, firewall, and cloud access security broker (CASB) functionality, to help you secure SD-WAN and embrace direct internet access, easily. It’s the simplest cloud security service you’ll ever deploy. There is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management. Get started today with a free DNS-layer trial.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella