A new exploit has been found involving DNS, and this is a big one. It ranks as a 10 on the CVSS scale. Despite what you may have heard from SpinalTap, there is no 11. We all know big enough exploits need a name, this one has been named SigRed. This exploit is worm-able (RCE exploitation); it can spread to multiple computers without any user interaction.
SigRed works by using a specially crafted DNS query that will allow a hacker to achieve arbitrary code execution. This can breach your entire infrastructure. Check Point has said, "If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and more."
It also runs in elevated privileges. The attacker could gain Domain Admin rights, and with how often the DNS role is already on the domain controller, let's assume that if this gets exploited, everything in your network is potentially at risk.
Watch a demonstration of this exploit in action.
Because this exploit uses larger packets to gain access, changing the packet's size allowed in the registry would prevent it. You could fix this in a couple of ways.
1. CMD with the following command.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS
2. It was pointed out that we love PowerShell, but initially I added no PowerShell. /u/xxdcmast and Colby wrote the following that will perform the same task.
$null = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Force New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\parameters -Name "TcpReceivePacketSize" -PropertyType DWord -Value 0xFF00 -Force
3. Or even better, patch your systems! This exploit has been closed in the latest Patch Tuesday, so it is resolved in CVE-2020-1350. Check out my accompanying video where I describe the very things I wrote about in this blog post. To learn about other security patches closed in this month's batch, check out our monthly patch Tuesday report.
If you would like to see which of your machines need to be patched, community user /u/darkpixel2k created a collection that you can import into PDQ Inventory. He has uploaded it into his git repository. It also looks like he has created a PDQ Deploy package to push the fix if you are unable to push updates outside of your schedule.