Windows DNS bug, SIGRed, gets a perfect 10 (Image Credit: Gerd Altmann from Pixabay)SIGRed is a critical bug in Windows Domain Name System (DNS) server. The bug has been around for 17 years and is as a result of the way Microsoft chose to implement the DNS protocol. This is not an issue with the DNS protocol. It is solely down to the code that Microsoft wrote, tested and deployed as a product. It raises serious questions about how Microsoft tests and certifies its own code. This is also not the first time Microsoft has admitted to a long term problem.

How serious is this? Critical! If successfully exploited, the attacker will get Domain Administrator privileges. That means they will have complete control of an organisations Windows infrastructure. From there they can steal data, destroy data and even encrypt data as part of a ransomware attack. They can also install malware and enable multiple different attacks such as Business Email Compromise. Get the message?

Yaniv Balmas, Head of Cyber Research, Check Point Software (Image Credit: LinkedIn)
Yaniv Balmas, Head of Cyber Research, Check Point Software

What makes this attack even more serious, is the ease with which an exploit can be launched. Yaniv Balmas, Head of Cyber Research, Check Point Technologies confirmed that an attacker with even basic connection to a WIFI network could take over a DNS server.

It is not just WIFI that is an infection route. Anyone who can gain access to a physical network socket can attempt an attack. Many buildings have network sockets that are in public areas, making them easily accessible. All that is required is a cable and a device to launch the attack.

Hotels, restaurants, theme parks, service stations, cafes and even hospitals provide free access to WIFI for visitors. Any of them running Windows DNS and who doesn’t patch is at risk of an attacker taking control of their systems.

What is SIGRed?

SIGRed was named by researchers at Check Point who discovered it. It exploits a problem in the way a Windows DNS server handles an incoming request and how it sends a response to a forwarded DNS query. A malicious query causes a larger response to the query than expected, which, in turn, forces what is called a buffer overflow. It is this latter part of the attack that allows the attacker to take control of the server.

The full details of the attack are contained in the Check Point blog. There is also another good explanation on the Naked Security Blog.

Importantly, this is not an isolated instance whereby a single machine can be attacked and taken over by the attacker. It can spread from one machine to another, which is why Microsoft describes it as wormable. Many large organisations run multiple Windows DNS servers to spread the workload. This means that the attack can quickly spread.

The easiest way to think of this, especially in the current pandemic, is that every infected DNS server will infect every other unpatched DNS server it comes into contact with. Patching it is the only way to stop the spread.

Is there evidence of this being exploited?

Omri Herscovici, Security Research Team Leader at Check Point Software Technologies (Image Credit: LinkedIn)
Omri Herscovici, Security Research Team Leader at Check Point Software Technologies

Omri Herscovici, Security Research Team Leader at Check Point Software Technologies answered this question during a webinar. He said: “A POC has been circulating on the Internet. It’s definitely a fake proof of concept. We estimate it would take at least a few days for anyone to be able to exploit this successfully and maybe more.

“The POC mentioned by ZephrFish, that’s the GitHub page, is completely fake and would actually install malicious content on your own machine. So don’t use it.”


@ZoomerX tweeted to us that the allegation above was incorrect. After a few rounds of tweets that included @omriher we have amended the statement above to take out the claim that it POC would install malicious content on a users’ machine. We also understand that the POC was intended as a prank.

While that POC might be fake, the seriousness of SIGRed and the benefits for a successful attacker means we will see attacks appear soon. What is interesting is that both Microsoft and Check Point say that their current telemetry shows no evidence of exploits in the past. This is the same story as Heartbleed. There were no attacks for many years until the vulnerability was made public. After that, there was a continuous series of attacks, even after there was a fixed version of OpenSSL.

The same is likely to happen here. The use of deprecated versions of Windows Server, including all versions on 2003 and 2008, continues. All of these are vulnerable to a SIGRed attack.

How to fix it?

There are two options here, fix and mitigate. To fix the issue, apply the latest Microsoft patches that are in the Patch Tuesday bundle.

To mitigate it, start by applying the Microsoft workaround (shown below) and review how people can gain access to your network. Lockdown WIFI access and block any network access point that is in a publicly accessible area such as receptions, waiting rooms and hallways.

Microsoft registry patch


Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that’s allowed:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

Value: TcpReceivePacketSize 

Type: DWORD 

Value data: 0xFF00


The default (also maximum) Value data = 0xFFFF.

The recommended Value data = 0xFF00 (255 bytes less than the maximum).

You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:

net stop dns && net start dns

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.

Enterprise Times: What does this mean

Rob Kraus, Sr. Director, Global Threat Intelligence Center Operations, NTT Security
Rob Kraus, Sr. Director, Global Threat Intelligence Center Operations, NTT Security

Old vulnerabilities continue to be a threat, as highlighted in the NTT Ltd Global Threat Intelligence Report (GTIR) 2020 (registration required). In an interview with Enterprise Times, Rob Kraus, Senior Director, Global Threat Intelligence Center, Threat Communications & Alliances at NTT Ltd said: “We detected vulnerabilities, or exploit attempts against vulnerabilities over 15, or 20, years old, and unpatched vulnerabilities continue to be a problem.”

It will be interesting to see how quickly SIGRed attacks show up in the NTT Ltd monthly GTIC reports.

The first notification of attacks will likely come within the next week or so. Given how long it takes many enterprises to patch their IT systems, those attacks will be highly successful. The question is, have IT organisations learned from other attacks? Some will, some won’t. About the only certainty here is that this won’t be the last vulnerability found in a major software vendors code.


Please enter your comment!
Please enter your name here