Skip to content

SigRed: A Wormable Microsoft DNS Server RCE Vulnerability

SigRed Overview

SigRed is a vulnerability that was exposed yesterday (July 14th 2020) by the security firm Check Point. Successful exploitation of the vulnerability could lead to a malicious actor gaining control of the organizational DNS server, often leading in turn to domain administrator privileges, allowing the attacker complete control of any domain-joined Windows machine.

The vulnerability lies in Microsoft’s DNS server and could be triggered from either inside the network, by an attacker controlling an internal asset, or, in some conditions (as stated below), from outside the network, making it even more dangerous.

As Microsoft Active Directory is deeply integrated with DNS services, the DNS service is virtually always enabled on domain controllers. An attacker gaining control of a domain controller through the DNS service could lead to a complete compromise of the network, allowing the attacker complete access to all Windows machines joined to the domain, whether patched or not, using the domain administrator privileges of the compromised domain controller. Even if the compromised DNS server does not serve as a domain controller, It is likely that the Domain administrator credentials are stored locally and can be retrieved by a tool such as Mimikaktz. Furthermore, the attacker is also able to return custom responses to DNS, allowing man-in-the-middle for unencrypted protocols, such as HTTP, FTP and others.

Exploitation Methods

The precondition for this exploit is that the local organization’s DNS server is configured to recursively resolve queries to external domains using root-hints. This configuration is the default configuration when the DNS service is installed.

Exploitation is either impossible or further complicated in the following cases:

  1. The DNS server is an authoritative server of a DNS zone and does not recursively resolve queries to other domains.
  2. The DNS server is part of an independent DNS infrastructure, such as an air-gapped network. In such a case, the attacker will need either write access to the DNS server or existing control over an authoritative DNS server serving an arbitrary zone on the network.
  3. The DNS server is configured to use a forwarder server (such as 8.8.8.8 or 1.1.1.1) instead of directly using root hints. In such a case, the attacker will need to propagate the attack through the chain of recursive calls, which has not yet proven possible but cannot be completely discarded.

The vulnerability can be exploited in two ways:

  1. From inside the network:
    An attacker that has a hold of an asset inside the network, can compromise the organization’s local DNS server by sending queries for external domain records which are controlled by the attacker (e.g. http://www.evil.com). Such a request will cause the local DNS server to communicate directly with the attacker’s DNS server. A malicious crafted response from the attacker’s server could lead the attacker to compromise the local DNS server.
  2. From outside the network:
    An attacker can send a malicious link to a user inside the network to a website it controls (via e-mail, for example). Once the user opens the link in either Microsoft Edge Legacy or Internet Explorer (does not apply to Google Chrome, Mozilla Firefox or Microsoft Edge Chromium, not tested on other browsers), a malicious web page is sent back to the client that causes the client itself to perform a series of DNS queries to the local organization’s DNS server, that in turn, would query the attacker’s DNS server, at which point the DNS server can be compromised in the same manner as presented above.

 

Exploitability in OT Networks

Most OT networks have Windows endpoints that are used for process control, technical maintenance and others. An attacker successfully exploiting this vulnerability from either inside or outside the network can gain domain administrator privileges, allowing full access to all domain-joined workstations and servers even if already patched.
At this point, the attacker will be able to install ransomware, malware, steal information, disrupt OT operations and/or access any machine in the domain for any purpose.

As many OT networks are slower to patch systems than IT networks, they are exposed for a longer period of time, allowing attackers to exploit this vulnerability. As a successful exploitation often results in domain administrator privileges, a single unpatched DNS server is sufficient to compromise the entire network, even if all other DNS servers are already patched.

Mitigation Recommendations

Microsoft has released a patch (July 14th 2020) to the vulnerability. We urge everyone to update their Microsoft Windows Servers as soon as possible.

If for any reason one is unable to currently patch its Windows Servers, running the following command would limit the DNS response size to 0xFF00 (65280), and will prevent the vulnerability from running

 

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /“TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f && net stop DNS && net start DNS

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

802.1X Protocol for Network Authentication

EAP

802.1X uses an Extensible Authentication Protocol (EAP) for a challenge and response-based authentication protocol that allows a conversation between a Supplicant (the wireless/wired client) and the RADIUS (the authentication server), via an Authenticator (a wired switch or wireless access point which acts as a proxy). EAP supports multiple authentication methods, some of them are secure and some of them are vulnerable (although old endpoints still support them).

802.1X authentication with Portnox CLEAR

DIAGRAM: An example of how EAP works with Portnox CLEAR.

EAP-TLS

With 802.1X authentication via EAP Transport Layer Security (or EAP-TLS), there is a mutual certificate authentication, as it relies on the Supplicant (endpoint) and RADIUS certificate’s “handshake.”

Advantages:

  • Mutual certificate authentication
  • The authentication process takes place inside a secure SSL tunnel
  • The user/machine certificate is linked to the relevant user/computer identity, which makes stealing attempts useless (in contrast to stolen credentials)

Disadvantages:

  • The identities are sent in a clear text before the certificates exchange process starts
  • Deployment and lifecycle maintenance of endpoint certificates might be costly in small environments

EAP-TTLS

By using 802.1X EAP Tunneled Transport Layer Security (or EAP-TTLS) is an extension of EAP-TLS. After the RADIUS is authenticated to the Supplicant by its certificate (including an optional TLS authentication of the Supplicant to the RADIUS), the Supplicant proves its identity via PAP or MSCHAPv2

Advantages:

  • The authentication process takes place inside a secure SSL tunnel
  • User identity is not exposed
  • Can use multiple methods to authenticate inside the tunnel – certificates / user identities
  • EAP-TTLS can be used for network authentication by Azure Identity when AD-DS is not enabled (MSCHAPv2 is not available)

Disadvantages:

  • It does not support MSCHCAPv2 without enabling Directory Services with Azure AD (a limitation of Azure AD itself)
  • Client-side certificate is not required, only optional

EAP-PEAP

With 802.1X authentication via EAP Protected Extensible Authentication Protocol (or EAP-PEAP), only the RADIUS needs a certificate. With that certificate, the endpoints create an encrypted TLS tunnel to pass the authentication details. The most common protocol used to authenticate the endpoints, when using PEAP, is MSCHAPv2 challenge and response, which is used to authenticate both the server (usually Active Directory / Azure AD) and the supplicant (endpoint). The process involves challenge – response where both share a random hash that’s computed with the identity’s credential without sending the password across the network.

  • The authentication process takes place inside a secured SSL tunnel
  • User identity is not exposed
  • Simple deployment – allow the usage of username and password which the end-user is already familiar wit,h such as Active Directory or local account credentials

Disadvantages:

  • This method requires a password changing policy to remain secure
  • If the endpoints are not hardened they are exposed to “evil twin” attacks

EAP-MD5

One of the legacy 802.1X approaches of EAP is Message Digest 5 (or EAP-MD5), the RADIUS server sends a random challenge to the Supplicant which generates an MD5 Hash of its credentials and the challenge, which is then sent back to the RADIUS for validation. By using this method of 802.1X authentication, however, the supplicants don’t send their passwords to the RADIUS for validation, but rather use hashes.

Advantages:

  • EAP-MD5 is compatible with legacy network equipment and older type of endpoints

Disadvantages:

  • It is exposed to dictionary attack – password “guessing”
  • Vulnerable to man-in-the-middle attacks since there is no mutual authentication

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×