In This TechTalk we discuss the research process, methodology, mindset behind SIGRed and will also demonstrate an Attack.
Q&A:
1. Are you aware of any RCE PoCs publically available?
We are not taking it to the next phase, We have found internally all of the loops that need to upgrade in order to bring it from Denial of service to remote code execution and we share them with Microsoft. Microsoft rated this vulnerability has highly likely to be exploitable.
2. Are you aware of any RCE PoCs publically available?
No, But we did saw some Denial of service POC on GitHub that works
3. It is possible to see the same vulnerability on other DNS Servers?
We are not aware of other DNS servers that are vulnerable to the same bug.
4. If I have installed the latest windows update for server 2016, will this mitigate/prevent the attack?
Yes, the relevant links per OS is here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
5. Does SandBlast Agent (SBA) can prevent this attack?
Yes, the SBA needs to be installed on the DNS server.
6. If the IPS protection placed on the connection between DNS server to an external DNS server? How can SBA protect in this case?
The SBA need to be installed on the DNS server.
7. What are the minimum blades on CheckPoint Endpoint client that would need to be installed/enabled on a Server 2016 Domain Controller to protect against the attack?
This protection is available starting from Endpoint Security Client E83.11 and above.
This protection was integrated inside the SAB core and is not related to a specific blade.
8. Does this IPS protection available on R77.30 systems?
Yes, just make sure your IPS signature is up to date
9. Does this exploit only for publicly available Windows DNS servers?
No, as we demonstrate, any client that can do nslookup against the DNS server can trigger the attack.
10. Can you share a link to the Research blog post?
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-...