“Patch Tuesday” this week was more exciting than usual! On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows DNS servers that are configured to run the DNS server role. Even if you stop reading now, we strongly recommend that server administrators apply this security update as soon as possible.
Let’s get to the important facts first.
What is CVE-2020-1350?
AKA SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019. It can be triggered by a malicious DNS response. Since the service uses (SYSTEM) a.k.a. elevated privileges, if the vulnerability is exploited successfully, an attacker is granted Domain Administrator rights. This essentially gives them the keys to the kingdom to compromise a victim’s corporate infrastructure.
If I’m an Umbrella customer, am I protected?
Yes! Any customers of Cisco Umbrella who have configured their Microsoft DNS servers to forward to our resolvers are protected against CVE-2020-1350. If you’re not an existing Cisco Umbrella customer, perhaps this is a good time to check us out. Find out more about our recursive DNS services here.
Since March 2020, the Cisco Umbrella resolvers have returned REFUSED in response to a DNS query for the SIG query type, the query type that CVE-2020-1350 is exploiting. With the announcement of CVE-2020-1350, we’ve also taken steps to decompress any SIG records that could be included in queries for other record types (for example, a query for an ANY record will return all records for that name, including a SIG record). Decompressing the record mitigates CVE-2020-1350 because the maximum size of the record is now too small to trigger the vulnerability.
That said, this isn’t a substitute for applying the Microsoft patch. Cisco Umbrella can only protect queries sent to our resolvers, and we can’t guarantee that a given Microsoft DNS service isn’t configured to receive responses from other sources.
What is a SIG record?
Acronyms are confusing, right? Here at Cisco, we often use SIG to refer to our Cisco Umbrella secure internet gateway (SIG) package. Let’s be clear: this is not that. In this case, a SIG record refers to the “signature record” defined in early attempts at DNS security that contains the cryptographic signatures (see RFC 2931 and RFC2930 for the details). These early attempts at DNS security were largely abandoned, and SIG is now considered obsolete.
Who is vulnerable?
90% of malware uses DNS in attacks. But in this case, only the Windows DNS server application is vulnerable to CVE-2020-1350. Why? It’s because this exploit makes use of specific flaws in Microsoft’s DNS server application. The Cisco Umbrella resolvers use a custom-built DNS resolver, so they are able to properly handle SIG responses. As such, the Cisco Umbrella resolvers are not themselves vulnerable to CVE-2020-1350.
Back up — I need a DNS refresher!
The domain name system (DNS) is sometimes referred to as the “phone book” of the internet. You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com. DNS was invented for people like me! People that can’t remember long IP address numbers (like phone numbers) would prefer to look up websites by human-friendly names like umbrella.cisco.com instead. DNS servers power a website directory service to make things easier for humans. Some other stuff you should know to help make sense of this vulnerability:
- DNS operates over User Datagram Protocol (UDP) / Transmission Control Protocol (TCP) port 53.
- A single DNS (response / query) is limited to 65,535 bytes.
- DNS is hierarchical. If a DNS server doesn’t know the answer to a query it receives, the query is forwarded to a DNS server above it in the hierarchy. There are 13 root DNS server names worldwide.
The DNS system is so important that we often refer to it as the foundation of the internet. If your recursive DNS service breaks for some reason, you won’t be able to connect to websites unless you type in the IP addresses directly. If the recursive DNS service you use is working, but has been compromised (like this exploit), then your connection to websites won’t be your only problem!
Want to learn more? Read our blog that discusses DNS-layer security in detail, or learn about the differences between authoritative and recursive DNS servers.
The odds for exploitation are high
Is this risky? Yes! Odds are that this could be very dangerous and result in massive exposure if left unpatched. At the time of writing this blog, we have not seen this attack in the wild, but the likelihood of this vulnerability being exploited is high. Successful exploitation of this vulnerability could result in worst case scenarios ranging from data theft, breaches, loss of intellectual IP, exposure of sensitive enterprise or medical data, and more. Translation: it’s bad.
The Cisco Umbrella team is actively monitoring for exploitation of this new vulnerability and will block any domains discovered. If you discover a domain attempting to abuse this technique, please let us know by contacting our Support team at https://support.umbrella.com or via email at <email@example.com>.
We will continue to monitor this situation closely. We strongly recommend that users should patch their affected Windows DNS Servers in order to prevent any exploitation of this vulnerability.
About Cisco Umbrella
Cisco Umbrella is a cloud-delivered security service that helps you secure internet access and control cloud app usage across your network, branch offices, and roaming users. Umbrella unifies DNS-layer protection, secure web gateway, firewall, and cloud access security broker (CASB) functionality, to help you secure SD-WAN and embrace direct internet access, easily. It’s the simplest cloud security service you’ll ever deploy. There is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management. Get started today with a free DNS-layer trial.