Skip to main content desktop
Try Now

SigRed Critical Vulnerability and Patch/Fix

Jordan HammondJordan Hammond

A new exploit has been found involving DNS, and this is a big one. It ranks as a 10 on the CVSS scale. Despite what you may have heard from SpinalTap, there is no 11. We all know big enough exploits need a name, this one has been named SigRed. This exploit is worm-able (RCE exploitation); it can spread to multiple computers without any user interaction.

SigRed works by using a specially crafted DNS query that will allow a hacker to achieve arbitrary code execution. This can breach your entire infrastructure. Check Point has said, "If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and more."

It also runs in elevated privileges. The attacker could gain Domain Admin rights, and with how often the DNS role is already on the domain controller, let's assume that if this gets exploited, everything in your network is potentially at risk.

Watch a demonstration of this exploit in action.

Because this exploit uses larger packets to gain access, changing the packet's size allowed in the registry would prevent it. You could fix this in a couple of ways.

1. CMD with the following command. (See more about reg add)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f 

net stop DNS && net start DNS

2. It was pointed out that we love PowerShell, but initially I added no PowerShell. /u/xxdcmast and Colby wrote the following that will perform the same task. (See New-Item)

$null = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Force

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\parameters -Name "TcpReceivePacketSize" -PropertyType DWord -Value 0xFF00 -Force

3. Or even better, patch your systems! This exploit has been closed in the latest Patch Tuesday, so it is resolved in CVE-2020-1350. Check out my accompanying video where I describe the very things I wrote about in this blog post. To learn about other security patches closed in this month's batch, check out our monthly patch Tuesday report.

If you would like to see which of your machines need to be patched, community user /u/darkpixel2k created a collection that you can import into PDQ Inventory. He has uploaded it into his git repository. It also looks like he has created a PDQ Deploy package to push the fix if you are unable to push updates outside of your schedule.

Ready to get started with PDQ Deploy & Inventory? Work less, automate more.

Start your 14-day free trial
Sign up in seconds

Don't miss the next post!

Press Release: PDQ Acquires SmartDeploy, a leading provider of IT asset management software, announced today its acquisition of SmartDeploy, an industry leader in remote computer management.
© 2022 Corporation
  • PDQ Deploy ®
  • PDQ Inventory ®
  • SimpleMDM
  • Pricing
  • Downloads
  • Licensing
  • Buy