The US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Derective 20-03, which orders all US authorities to swiftly patch the wormable SIGRed vulnerability in Windows DNS Server due to a strong possibility of the vulnerability being exploited.
The flaw in question is CVE-2020-1350, a remote code execution vulnerability, which resides in Microsoft’s DNS implementation. The vulnerability affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response, which could lead to a heap-based buffer overflow. The flaw has received a maximum CVSS score of 10. The flaw has been fixed by Microsoft last week as part of its monthly Patch Tuesday release.
According to the directive, government agencies are required to update all endpoints running Windows Server operating systems, or apply a registry modification workaround; ensure the July 2020 Security Update is applied to all Windows Servers (and the registry change workaround is removed if necessary and applicable); and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.
The agencies also required to provide an initial status report by July 20 containing an information related to the agency’s current status, and submit a completion report by July 24 “attesting to CISA that the applicable update has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected servers will be patched as required by this directive.”
The good news is that currently no proof-of-concept code for the SIGRed vulnerability is publicly available.
“The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch,” according to the directive.