Patching SIGRed: Windows CVE-2020-1350

July 20, 20203 min readVulnerability Management

In the July 2020 Patch Tuesday release, Microsoft has patched 13 critical and 83 important vulnerabilities, but one CVE in particular is getting the lion’s share of the attention. CVE-2020-1350, nicknamed “SIGRed,” targets DNS components in the Windows operating system and is particularly troubling because it can spread from machine to machine without human intervention.

The flaw is serious enough that it prompted the US Department of Homeland Security (DHS) to issue an emergency directive to all Federal agencies. The rationale behind issuing the directive is four-fold:

  • High likelihood of the vulnerability being exploited
  • Widespread use of Windows (the affected software)
  • High potential for a compromise of agency information systems
  • Severe impact of a successful compromise

Under the directive, all endpoints running the impacted versions of Windows must install the patch and complete a registry setting change. The deadline was July 17, 2020 for any machine acting as a DNS server, and July 24, 2020 for all other Windows Servers.

Exploitation of the bug uses Port 52, and can be triggered remotely by sending a DNS response that contains an abnormally large SIG record. The result is a buffer overflow that allows the attacker to overwrite settings on the target system.

As of right now, there are no known exploits in the wild, though that is likely to change.

Identifying CVE-2020-1350 with Balbix

For Balbix customers looking to identify any systems vulnerable to SIGRed, the process is fast and easy. Simply conduct a search for “CVE-2020-1350” and the system will automatically identify all impacted systems.

Individual impacted machines can be further inspected.