Critical Vulnerability to Windows Server 2003 to 2019: SigRed

SigRed is a newly discovered (May, 2020) vulnerability impacting Windows Server versions 2003 to 2019. Assigned the highest threat rating, a perfect 10, SigRed can be exploited via malicious DNS response to Windows DNS Server to grant Domain Administrator rights.

How Dangerous Is SigRed? Security Threat 10.0 Explained

It might help to put the highest threat level into context in case you do not follow Microsoft Security Vulnerabilities like we do.

Microsoft has stepped up its security patching game significantly over the last few years. Last year over 12,000 vulnerabilities were reported and patched across all Microsoft products. Over 1,000 vulnerabilities are recorded each month. But SigRed stands out from the crowd. It received a 10 rating, the highest on the scale.

How rare are 10’s? As of July, only 7,628 10.0’s had been recorded out of 123,454 total. Microsoft and others like Check Point Research, the organization that reported SigRed, work extremely hard to identify these before the hacking community can exploit them. However, the vulnerability could still pose a problem for global security for years to come. We’ll explain how.

Why Is SigRed So Dangerous?

SigRed hits the sweet spot as a threat to global security for a few reasons.

Unique Attack Trajectory

SigRed is a vulnerability for Windows DNS Server, which is different than the majority of exploits found on RDP (AKA BlueKeep) and SMB (AKA EternalBlue) protocols. DNS Server is fundamental to the interface between the web and Windows Server. This means that any business that operates a website through their own Windows Server implementation is potentially vulnerable.

Social Exploit

Hackers could launch an attack by inducing an employee on the Server side to click on a malicious link. The link points to a domain that is managed by a malicious nameserver, so that when the nameserver is queried for that domain, the response that it sends will be designed to overload DNS Server and gain the ability to write information immediately.

Many of the most damaging attacks in recent years have operated in a similar manner. And yet many companies still fall victim to these attacks.

Domain Administrator Privileges

SigRed is particularly vicious in that a single click gives away the whole castle, not the keys to the front door. One click enables a hacker to write in a new Domain Administrator.

Domain Administrator privileges include the ability to create new users and change permissions in Active Directory. A hacker can effectively take over the network and in many cases compromise the corporate infrastructure with these privileges.

Many cyberattacks require days, weeks or months to climb the access ladder, but SigRed jumps to the top.

Wormable

Wormable refers to the way an attack can be chained across networks and automated to infiltrate many different organizations/individuals without further management. SigRed could be “wormanized” easily to turn each domain it infiltrates into another agent, pointing back to its malicious nameserver. Then, any visitor to the infiltrated website who is logged onto Windows Server would trigger the same attack on their network. If “wormanized” SigRed would spread at incredible speed.

Microsoft Security Update on July 14, 2020 included a fix, so why could SigRed still pose a risk?

Many businesses are unable to take advantage of updates when they are released. Remember, the rate of releases has increased significantly in recent years, and the number of updates can make each update extremely time consuming for organizations with proprietary or on-premise software. Each change to the platform has the potential to disrupt the functionality of the software that runs on it. Businesses try to update as frequently as they can manage with the IT resources they have available, but the amount of testing required often overloads the team. Months or even years can go by without applying updates, giving hackers plenty of time to take advantage.

Platte River Networks manages our clients’ IT infrastructure so that we can make security updates when they are released. (Our clients are already SigRed safe.) This practice is crucial for the same reason that you are now able to read about SigRed. Microsoft publishes its security updates and enables researchers to publish their work after the patch has been released. This means that any interested hacker could have read up on SigRed on July 14; they could already have begun work on their own proprietary worm and malicious nameserver/domain network.

If you have any questions about how Platte River Networks secures IT infrastructure, please email david@platteriver.com for more information.