July 14, 2020
CBI Security Alert: ‘SigRed’ Windows DNS Server Remote Code Execution Vulnerability

What is SigRed?

The 17-year-old ‘SigRed’ vulnerability allows remote attackers to gain domain administrator privileges.  Attackers can send malicious DNS queries to a Windows DNS server to execute remote code. If successful, the attacker would be able to intercept email and network traffic as well as credentials.

This vulnerability is particularly dangerous as it is wormable and would allow attackers to spread from one machine to another.

The SigRed vulnerability has a CVS score of 10.

Affected Environments

Windows DNS servers

Cause of Issue

The attack cleverly takes advantage of DNS name compression in DNS responses to create a buffer overflow using the technique to increase the allocation’s size by a significant amount. This attack can also be triggered from the browser by hiding the malicious DNS query inside of HTTP request.


A patch was released from Microsoft in todays security rollup. If you are not able to install the patch, a temporary workaround is that the maximum length of a DNS message (over TCP) can be set to “0xFF00” to eliminate the chances of a buffer overflow:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS

Contact CBI today for more information or for remediation assistance. 




About the Author
I Need To...