SIGRed: Microsoft releases KB4569509 patch to fix the 17 year old Windows DNS bug


Microsoft fixes the 17-year-old SIGRed Windows Bug; Microsoft releases July 2020 cumulative patch KB4569509 to fix the Windows DNS Bug

Windows 10 July cumulative patch KB4569509 resolves a 17-year-old bug in the Windows operating system. The bug called SIGRed is a Windows DNS bug that was present in the Windows operating system even before some of you were born was discovered by CheckPoint researchers. SIGRed has been issued an identifier, CVE-2020-1350, and has the highest critical CVSS base score of 10.0.

The bug affects all forms of Windows server versions. Microsoft has described the SIGRed bug as a “wormable” bug. A wormable bug means that potential hackers could develop an exploit kit based on the SIGRed vulnerability and break into systems and compromise the DNS Server.

What is Windows SIGRed DNS bug?

Domain Name System or DNS is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network(Intranet). In layman term, DNS is the phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are many solutions and implementations of DNS servers out there, but only a few are extensively used. Microsoft’s implementation is called “Windows DNS Server” and used extensively on every Windows operating system or Windows environment.

SIGRed vulnerability in the Windows DNS server affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, a potential hacker is granted Domain Administrator rights, effectively allowing them to take over the entire system and thus compromising the entire corporate infrastructure.

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

Microsoft security bulletin for CVE-2020-1350.

Which Windows operating systems does SIGRed affect?

SIGRed is a 17-year-old Windows security flaw, and it does not affect Windows clients, but only Windows Server. The following systems are impacted:

  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 Service Pack 1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server version 1903
  • Windows Server version 1909
  • Windows Server version 2004

The SIGRed Windows bug has a CVSS score of 10/10 which underscores why it is important for Sysadmins to patch this particular vulnerability. If patching is not possible, you can implement the following workaround:

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:



Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

CheckPoint reported SIGRed bug to Microsoft in May. Microsoft immediately took action and released the patch for this bug with the July 2020 cumulative patch. Microsoft says that the SIGRed bug though wormable has not yet been exploited in the wild. CheckPoint says that there is a high chance of hackers developing an exploit kit for the flaw.

We believe that the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources. In addition, some Internet Service Providers (ISPs) may even have set up their public DNS servers as WinDNS.



About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments