security_3

Testing Windows DNS SIGRed Vulnerability with Chef InSpec

It’s not DNS.

There’s no way it’s DNS.

It was DNS.

A system administrator’s haiku, many have uttered before. Today it rings true once again. CVE-2020-1350 is a vulnerability found in _all_ versions of Windows Server DNS back to 2003. Found by the folks at Checkpoint, this is a highly critical vulnerability. Not only does the attack allow for attackers to execute code as Local System Account, but it is a common practice for Windows DNS servers to be Domain Controllers. Effectively granting access across the entire domain.

This is a terrifyingly simple exploit, and is exploitable if your DNS server queries a malicious name server, which can be triggered any number of ways. Easiest way is a phishing attack on your users (see Checkpoint’s video for a 30 second demonstration).

Yet again the enterprise is looking at a critical security vulnerability. Our systems are too complex for us to rest assured all of the bugs were fixed ahead of time, and so organizations need to adopt a posture of Continuous Compliance and DevSecOps. Rapid response to these issues and continuous deployment processes are critical to resolving these vulnerabilities quickly and safely.

Here at Chef, that’s what we help our customers build. A couple of our Customer Architects & Consultants paired on creating a quick Chef Inspec profile that allows you to test your Windows Servers for the fix. It looks for either a KB to be installed or Microsoft’s registry workaround applied:

title 'Windows DNS Vulnerability audit'

control 'CVE-2020-1350' do
  impact 1.0

  title 'Windows DNS Server Remote Code Execution Vulnerability'

  desc 'A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.'

  tag cve: 'CVE-2020-1350'
  ref 'CVE-2020-1350', url: 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350'
  # Not required to add os-family check here but including for inclusion in mixed-platform profiles
  only_if { os[:family] == 'windows' && windows_feature('DNS').installed? }

  describe.one do
    describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters') do
      # InSpec tests the decimal value so we'll provide it 65280d = FF00h
      its('TcpReceivePacketSize') { should eq 65280 }
    end

    describe windows_hotfix('KB4558998') do
      it { should be_installed }

    end

    describe windows_hotfix('KB4565511') do
      it { should be_installed }

    end

  …

end

In the example here, we’ve truncated the other hotfix checks for different versions of Windows Server, but the describe.one ensures that as long as one of the tests pass, either the KB installed or the registry workaround, this control passes and the system is marked compliant’ against this CVE.

We have the full profile on Github and if you’re new to Chef InSpec, we recommend you start at learn.chef.io, specifically this course. If you have questions, or need any help with implementation, drop into the #inspec channel on our community slack.

Our systems are complex, their interactions varied and we cannot ensure 100% security forever. We must always be vigilant to new threats and operate with Infrastructure & Compliance as code to rapidly respond to issues inside of our environments. These are the principles behind DevSecOps and Continuous Compliance.

Tags:

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.

James Massardo

James Massardo is the Lead Customer Architect at Chef focusing on large enterprise. He has more than 20 years supporting and managing large Windows fleets. In his free time, he works with local schools to promote STEM education through competitive robotics programs.

Collin McNeese

Collin McNeese was an Engineering Consultant with Chef Software, Inc.