Valentina Palmiotti, a leading information security specialist at Grapl, published a PoC exploit for SIGRed vulnerability, and also presented a detailed report on its work.
Last year, Check Point experts discovered a critical vulnerability in Windows DNS Server, codenamed SigRed. It received an identifier CVE-2020-1350.The vulnerability scored 10 out of 10 points on the CVSSv3 vulnerability rating scale. This rating means that the bug is extremely easy to use and requires almost no technical knowledge to operate it. Also, the vulnerability can be used for automated remote attacks and does not require prior authentication.
Since the bug has existed in the code for 17 years, the problem was dangerous for all versions of Windows Server released from 2003 to 2019. To exploit the bug, a hacker could send malicious DNS queries to Windows DNS servers, which entailed the execution of arbitrary code and could lead to the compromise of the entire infrastructure.
The vulnerability was fixed last year as part of the July “Patch Tuesday”.
Now Grapl Lead Information Security Officer Valentina Palmiotti has presented a PoC exploit for SIGRed and also published a detailed report on its work, where she also explains how to create SIEM rules to detect SIGRed exploitation.
The Palmiotti exploit was successfully tested (1, 2) on unpatched 64-bit versions of Windows Server 2019, 2016, 2012R2, and 2012. A video demonstration of the attack can be seen below.
It should be noted that exploits for SIGRed appeared earlier, but those versions were only capable of provoking a denial of service (DoS).
As I reported, recently Google experts publish exploit for critical bug in Windows 10.
