SIGRed

SIGRed is a critical remote code execution vulnerability discovered in the Windows DNS Server role in 2020. It affects Windows Server versions from 2003 to 2019. The vulnerability is triggered by a specially crafted DNS response that exploits a heap-based buffer overflow within the DNS server's code. This overflow allows an attacker to overwrite critical system memory, enabling them to execute arbitrary code with SYSTEM privileges on the affected server.

The vulnerability stems from the way the Windows DNS server parses and handles DNS SIG (signature) records. A malformed SIG record can cause the DNS server to allocate an insufficient amount of memory to store the record, leading to the buffer overflow when the record's data is written.

The impact of SIGRed is severe. A successful exploit allows an attacker to take complete control of the DNS server. Since DNS servers are critical infrastructure components responsible for translating domain names to IP addresses, compromising a DNS server can have widespread consequences, including:

• Domain Hijacking: Attackers can redirect traffic intended for legitimate websites to malicious servers.
• Data Theft: Attackers can access sensitive data stored on the server or within the network.
• Denial of Service: Attackers can disrupt DNS services, preventing users from accessing websites and online services.
• Lateral Movement: Attackers can use the compromised DNS server as a stepping stone to gain access to other systems within the network.

Microsoft released a patch for SIGRed (CVE-2020-1350) on July 14, 2020. Organizations were strongly urged to apply the patch immediately to mitigate the risk of exploitation. Microsoft also provided a workaround involving limiting the maximum size of a TCP-based DNS response, but patching was the recommended remediation strategy.