Full Report
After the SigRed (CVE-2020-1350) write-up was published by Check Point, there was enough detailed information for the smart people, like Hector and others of the Twitterverse (careful with the fake PoC!), to swiftly write a proof of concept to crash Windows DNS. CP did not publish enough details about how to convert this into an RCE, so it looks like a PoC to execute code is still going to take some time to surface. In this post I will describe how I created a Suricata rule to detect exploitation attempts of CVE-2020-1350.
Analysis Summary
# Vulnerability: Windows DNS Server SigRed Vulnerability (CVE-2020-1350)
## CVE Details
- CVE ID: CVE-2020-1350
- CVSS Score: N/A (Score not explicitly provided, but context implies high impact)
- CWE: N/A
## Affected Systems
- Products: Windows DNS Servers
- Versions: Not explicitly listed, but affects versions running vulnerable Windows DNS services susceptible to SigRed.
- Configurations: DNS servers are the primary target.
## Vulnerability Description
The vulnerability resides in the Windows Domain Name System (DNS) service and was detailed in the SigRed write-up. It allows for remote code execution (RCE) potential. The exploit involves crafting malicious DNS responses, specifically a malformed **SIG (Type 24) IN (Class 1) answer**, sent over TCP due to payload size limitations in UDP. Key indicators for exploitation involve specific DNS flags being set (TC flag indicating truncation, and ANSWER flag), excessive packet length (>65280 bytes), and specific content/compression techniques within the DNS message.
## Exploitation
- Status: Proof-of-Concept (PoC) to **crash** Windows DNS is available. RCE PoC is not yet widely surfaced.
- Complexity: Medium (based on the speed of crash PoC development following disclosure).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: Potential High (If RCE is achieved)
- Integrity: Potential High (If RCE is achieved)
- Availability: Confirmed Denial of Service (DoS) via crashing the DNS service using currently known PoCs.
## Remediation
### Patches
- Patches are implied to be released by Microsoft following the initial disclosure, as the context discusses detection *after* the write-up. (Specific patch details are not in this summary source.)
### Workarounds
- The article focuses on detection rather than specific vendor workarounds, but implementing the Suricata rules described serves as an immediate detection/mitigation layer.
## Detection
- **Indicators of compromise (IOCs):**
- DNS response packets over TCP (instead of typical UDP for small responses).
- DNS response packets with the **TC (Truncation)** and **ANSWER** flags set.
- DNS records types that are **SIG (0x18) IN (0x01)** answers.
- Packets with an excessive length (> 65280 bytes) in the DNS answer section.
- **Detection methods and tools:**
- **Suricata Rules:** The author created custom Suricata rules (SIDs 666661 through 666664) designed to alert on specific characteristics of the malicious traffic flow, including content matches, byte tests, and TCP/DNS flag combinations over specific ports (53). The rules can be configured to `alert` or `drop` traffic.
## References
- Vendor advisory/original analysis: `https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/`
- Relevant Links (Defanged): `https://github.com/maxpl0it/CVE-2020-1350-DoS`