FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective

You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020-1350, also known as SIGRed:

Q: Do I need to be worried about it?

A: Unless you’re in charge of a Windows DNS Server, no.

Q: How do I know if I’m in charge of a Windows DNS Server?

A: If you had to ask the question, you aren’t.

Q: If I am in charge of a Windows DNS Server, should I be concerned?

A: Yes. You need to get the latest Server cumulative update installed.

Q: What if all of my Windows DNS Servers are internal only?

A: You need to get patched anyway. It’s likely easier to exploit the hole on a publicly-facing Windows DNS Server, but internal servers aren’t immune. Marcus Hutchins says:

Can affect Windows Servers that expose DNS externally, or can be triggered by getting a user to visit a malicious website using IE or pre-Chromium Edge… While technically wormable, it seems unlikely. A more likely scenario would be ransomware actors using it to gain a access to the Domain Controller, then pushing ransomware to all network clients.

Q: Is it really that serious?

A: Yep, it’s a significant security hole that’s been around for at least 17 years. Several people have remarked that variations on the exploit have existed for a decade. Good advice from @SwiftOnSecurity:

Microsoft has issued an unusual private push alert to Premier customers under NDA about CVE-2020-1350. Patch or apply workaround now. Note workaround requires DNS service restart do not just hand this to admins. I do NOT trust the registry key workaround. Its effect is not auditable and provable. Apply the patch. Something this big with no signs of current exploit means Microsoft went through in-depth testing to prove it out before telling the world. Apply patch and validate and deploy it now.

Q: Should we bend over and kiss our cumulative keesters goodbye?

A. Depends on your keester, I guess. We’ll see an active exploit soon, but not right away. Per Kevin Beaumont:

I don’t expect a quick turnaround to RCE in public, the discoverers didn’t reach it, it requires time and skill… after every big RCE vulnerability announcement, Twitter becomes ‘this would take 5 minutes to write an exploit for!’ Then rarely anybody writes a public RCE exploit quickly, unless it’s a GET web request. If there’s some degree of skill required, a barrier.

For 99.9% of you, there’s nothing to be concerned about. For the other 0.1%, it’s showtime.

There’s a technical description from Sagi Tzadik on the Check Point Research web site.