Newsletter Archives

  • FAQ: The Windows DNS Server security hole, CVE-2020-1350, from a “normal” user’s perspective

    Posted on July 15, 2020 at 05:41 CDT by Comment in the Forums

    You’re going to see a lot of sand flying about a Windows security hole that was plugged yesterday. Here’s what most people need to know about CVE-2020-1350, also known as SIGRed:

    Q: Do I need to be worried about it?

    A: Unless you’re in charge of a Windows DNS Server, no.

    Q: How do I know if I’m in charge of a Windows DNS Server?

    A: If you had to ask the question, you aren’t.

    Q: If I am in charge of a Windows DNS Server, should I be concerned?

    A: Yes. You need to get the latest Server cumulative update installed.

    Q: What if all of my Windows DNS Servers are internal only?

    A: You need to get patched anyway. It’s likely easier to exploit the hole on a publicly-facing Windows DNS Server, but internal servers aren’t immune. Marcus Hutchins says:

    Can affect Windows Servers that expose DNS externally, or can be triggered by getting a user to visit a malicious website using IE or pre-Chromium Edge… While technically wormable, it seems unlikely. A more likely scenario would be ransomware actors using it to gain a access to the Domain Controller, then pushing ransomware to all network clients.

    Q: Is it really that serious?

    A: Yep, it’s a significant security hole that’s been around for at least 17 years. Several people have remarked that variations on the exploit have existed for a decade. Good advice from @SwiftOnSecurity:

    Microsoft has issued an unusual private push alert to Premier customers under NDA about CVE-2020-1350. Patch or apply workaround now. Note workaround requires DNS service restart do not just hand this to admins. I do NOT trust the registry key workaround. Its effect is not auditable and provable. Apply the patch. Something this big with no signs of current exploit means Microsoft went through in-depth testing to prove it out before telling the world. Apply patch and validate and deploy it now.

    Q: Should we bend over and kiss our cumulative keesters goodbye?

    A. Depends on your keester, I guess. We’ll see an active exploit soon, but not right away. Per Kevin Beaumont:

    I don’t expect a quick turnaround to RCE in public, the discoverers didn’t reach it, it requires time and skill… after every big RCE vulnerability announcement, Twitter becomes ‘this would take 5 minutes to write an exploit for!’ Then rarely anybody writes a public RCE exploit quickly, unless it’s a GET web request. If there’s some degree of skill required, a barrier.

    For 99.9% of you, there’s nothing to be concerned about. For the other 0.1%, it’s showtime.

    There’s a technical description from Sagi Tzadik on the Check Point Research web site.

    Windows Patches/Security ,

  • July 2020 Patch Tuesday

    Posted on July 14, 2020 at 12:09 CDT by Comment in the Forums

    Here’s what we know about this month’s Patch Tuesday crop.

    Big news: There’s a bug in Windows DNS Server that’s a “wormable” Remote Code Execution vulnerability, with a CVSS score of 10.0 – as high as it gets. If you’re running a Windows DNS Server, you need to install CVE-2020-1350, even if it’s buggy. There’s a registry change that’ll subvert the bug.

    Win10 Patch Tuesday cumulative updates –

    • Version 1903 and 1909 – KB 4565483 – Fixes the long-standing LSASS bug
    • Version 2004 – KB 4565503 – Fixes the OneDrive app bug, in addition to the LSASS bug.

    Dustin Childs’ analysis on the Zero Day Initiative blog is up:

    • Fixes for 123 individually identified security holes (CVEs), “That makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. “
    • “None of these bugs are listed as being under attack at the time of release, while one CVE is listed as publicly known.”

    In addition, Childs has a reinforcement of the DNS Server bug, “The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can.” The bug is known as SigRed, and apparently has been around for 17 years, according to Hackernews.

    New Servicing Stack Updates for Win10:

    Martin Brinkmann has his usual thorough list on ghacks.net.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.