CVE-2020-1350

What is Windows DNS Server?

Microsoft Windows Server includes a built-in DNS Server role that provides DNS resolution services for Active Directory environments and internal networks. Windows DNS Server is the authoritative DNS server for Active Directory domains and typically runs on all domain controllers. Because DNS is a foundational network service, the Windows DNS Server process (dns.exe) runs as SYSTEM — the highest privilege level on Windows — and listens on UDP and TCP port 53 for DNS queries. A vulnerability in the DNS Server's packet parsing code that allows remote code execution is inherently a SYSTEM-level RCE reachable by sending a DNS query, with no authentication required. SIGRed is the name given to CVE-2020-1350 by the Check Point Research team that discovered it.

Overview

CVE-2020-1350, known as SIGRed, is a critical heap buffer overflow in Microsoft Windows DNS Server caused by an integer overflow when parsing SIG (Cryptographic Signature) DNS resource records. A remote, unauthenticated attacker can exploit SIGRed by sending a specially crafted DNS response to a Windows DNS Server, causing it to parse a malicious SIG record, overflow a heap buffer, and execute attacker-controlled code as SYSTEM. With a CVSS score of 10.0 and a scope of Changed (S:C) reflecting that domain controller compromise affects the entire Active Directory domain, SIGRed prompted an immediate CISA Emergency Directive (ED 20-03) requiring federal agencies to patch within 24 hours. Check Point Research identified the bug in a Windows DNS component that had not changed significantly in 17 years.

Affected Versions

Technical Details

• Root cause: Integer overflow leading to heap buffer overflow in Windows DNS Server's SIG resource record parsing — the DNS Server allocates a buffer based on the advertised length of a SIG record; an integer overflow in the length calculation causes a smaller buffer to be allocated than required; when the DNS Server then writes the full SIG record data into the undersized buffer, it overflows into adjacent heap memory, enabling heap corruption exploitation
• 17-year-old code: Check Point Research identified that the vulnerable DNS record parsing code had existed in Windows DNS Server essentially unchanged since Windows Server 2003 (2003–2020), suggesting the flaw predates modern security review practices and existed across every Windows Server version for nearly two decades
• SIG record attack vector: The attack requires sending a malicious DNS response containing a crafted SIG record to the Windows DNS Server; this can occur through DNS forwarding (tricking the target DNS server into querying a malicious authoritative server) or via a direct DNS query if the attacker can send DNS packets to port 53 — either from the internet (for internet-accessible DNS servers) or from inside the network
• Wormable potential: The CVSS S:C (Scope: Changed) combined with SYSTEM execution and DNS server access means a single compromised DNS/domain controller can propagate the exploit to other DNS servers in the forest, creating a theoretically wormable scenario for Active Directory environments
• SYSTEM-level execution: dns.exe runs as SYSTEM; code execution via SIGRed provides: full Windows SYSTEM shell, Active Directory domain admin capabilities (via SYSTEM on a domain controller), ability to extract all Active Directory credential hashes (NTDS.dit + SAM), and complete domain compromise
• CISA Emergency Directive: CISA issued ED 20-03 requiring all federal agencies to apply the patch within 24 hours of release or implement the registry workaround (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters, TcpReceivePacketSize = 0xFF00) — the registry workaround limits DNS TCP response size, preventing SIGRed exploitation via the TCP vector

Discovery

Discovered by Check Point Research (Sagi Tzadik and Omri Herscovici), who identified the SIG record parsing integer overflow during a security review of Windows DNS Server. They reported it to Microsoft on May 19, 2020, and coordinated public disclosure with the July 2020 Patch Tuesday release. Check Point published a detailed blog post explaining the vulnerability's history and exploitation mechanics.

Exploitation Context

SIGRed's severity stems from its combination of SYSTEM-level code execution, no-authentication requirement, potential wormability, and its location in Windows DNS Server — a service running on every Windows domain controller. An organization running Windows DNS Server as part of Active Directory is fully dependent on this service for all domain operations; exploiting SIGRed on a domain controller provides an attacker with complete domain control in a single exploitation step, without needing to chain multiple vulnerabilities or escalate from a lower-privilege foothold. While public exploitation of SIGRed has not been documented at the scale of some other CVSS 10.0 vulnerabilities, its theoretical wormability and SYSTEM-level domain controller impact made it a top-priority emergency patch.

Remediation

1. Apply July 2020 Patch Tuesday security updates to all Windows Servers with the DNS Server role — this is the definitive fix
2. As a registry workaround (if immediate patching is not possible): set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\TcpReceivePacketSize to 0xFF00 (65280) — this limits DNS TCP response size and blocks the SIGRed TCP attack vector; restart the DNS Server service after applying; note this does not block UDP-based exploitation
3. Block external DNS queries from internet-facing DNS servers to untrusted DNS resolvers — network-level restriction limits the attacker's ability to force the DNS Server to query a malicious authoritative server
4. Prioritize patching DNS servers that also serve as domain controllers — these are the highest-risk targets because they run with SYSTEM privileges and have direct access to Active Directory
5. Monitor Windows DNS Server logs for anomalous SIG record queries or DNS resolver interactions with unusual external domains