Under Review

Live Discover Query - That nasty Microsoft DNS bug - SigRED a.k.a CVE-2020-1350

  REVIEWED by Sophos 

As the title says, Microsoft recently advised a of a nasty bug within MS DNS servers.

NakedSecurity has a great write up with suggested actions, PATCH NOW.  Or implement a work around.

https://nakedsecurity.sophos.com/2020/07/15/patch-now-sigred-the-wormable-hole-in-your-windows-servers/

Have you patched yet?  Have you patched ALL your DNS servers... what about the ones you DON'T know about?

It's happened, and with this query you can question all of your Windows systems that _may_ have the DNS role installed and whether or not it's patched and/or has the work around applied.

Verify your security posture!

 

WITH vulnerable AS (
SELECT 'CVE-2020-1350' AS CVEid,
CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END OS_Vulnerable
FROM os_version
WHERE major >= 6
AND codename LIKE '%Server%'
), installed AS (
SELECT 'CVE-2020-1350' AS CVEid,
CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END DNS_Role_Present
FROM services
WHERE name = 'DNS'
), workaround AS (
SELECT 'CVE-2020-1350' AS CVEid,
CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END Workaround_Deployed
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters'
AND name = 'TcpReceivePacketSize'
AND CAST(data AS int) <= 65280
), patched AS (
SELECT 'CVE-2020-1350' AS CVEid,
CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END MS_Patch_Deployed
FROM patches
WHERE hotfix_id IN ( 'KB4558998', 'KB4565483', 'KB4565503', 'KB4565511','KB4565524', 'KB4565529', 'KB4565535', 'KB4565536', 'KB4565537', 'KB4565539', 'KB4565540', 'KB4565541' )
)
SELECT * FROM vulnerable JOIN installed USING (CVEid), workaround USING (CVEid), patched USING (CVEid)