browse
On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.
You can read more about Cisco Umbrella's response to CVE-2020-1350 on our blog:
https://umbrella.cisco.com/blog/cisco-umbrella-protects-against-sigred-cve-2020-1350
Is Cisco Umbrella vulnerable to CVE-2020-1350?
Only the Windows DNS server application is vulnerable to CVE-2020-1350, as this exploit makes use of specific flaws in that application. The Cisco Umbrella resolvers use a custom built DNS resolver, and they are able to properly handle SIG responses. As such, the Cisco Umbrella resolvers are not themselves vulnerable to CVE-2020-1350.
Can Cisco Umbrella be used to mitigate against CVE-2020-1350?
Cisco Umbrella resolvers will return a REFUSED response for any query with a query type of SIG. Additionally, the Cisco Umbrella resolvers do not support records defined in RFC 2065 as security records and thus would not automatically include SIG records in a response for validation purposes. This is distinct from our support for DNSSEC as defined in RFCs 4033, 4034, 4035, and others which Cisco Umbrella continues to support.
Additionally, Cisco Talos has released rules for Snort to match attacks targeting this vulnerability, which can be found here:
https://blog.snort.org/2020/07/snort-rule-update-for-july-14-2020.html
The Cisco Umbrella team is actively monitoring for exploitation of this new vulnerability and will block any domains discovered. If you discover a domain attempting to abuse this technique please let us know by contacting our Support team at https://support.umbrella.com or via email at <umbrella-support@cisco.com>.