CVE-2020-1350 Overview
CVE-2020-1350, known publicly as SIGRed, is a wormable remote code execution vulnerability in Windows Domain Name System (DNS) Server. The flaw exists in how the dns.exe service parses inbound DNS responses, allowing an unauthenticated attacker to trigger a heap-based memory corruption over the network. Because Windows DNS Server typically runs on Domain Controllers with SYSTEM privileges, successful exploitation grants full control of core Active Directory infrastructure. Microsoft published the advisory on July 14, 2020, and CISA added the issue to the Known Exploited Vulnerabilities catalog. The vulnerability affects every supported Windows Server release from 2008 through 2019.
Critical Impact
Unauthenticated network attackers can achieve SYSTEM-level remote code execution on Windows DNS Servers, including Domain Controllers, and the flaw is wormable between affected hosts.
Affected Products
- Microsoft Windows Server 2008 SP2 and Windows Server 2008 R2 SP1
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016 and Windows Server 2019
Discovery Timeline
- 2020-07-14 - Microsoft releases security patch for CVE-2020-1350
- 2020-07-14 - CVE-2020-1350 published to NVD
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2020-1350
Vulnerability Analysis
The vulnerability resides in the Windows DNS Server service (dns.exe) and is triggered when the server processes a DNS response containing a SIG resource record. The DNS server acts as a client when it performs recursive resolution, so an attacker who can cause a target server to query an attacker-controlled domain can return a malformed response. A specially crafted SIG record with an oversized signature field causes an integer overflow during length calculation, which leads to a heap-based buffer overflow when the data is copied into a fixed buffer. CISA classifies the flaw under [CWE-20: Improper Input Validation]. Microsoft considers the bug wormable because compromised DNS servers can be used to send malicious responses to other DNS servers, propagating code execution without user interaction.
Root Cause
The root cause is improper validation of the length of DNS signature data received over TCP. DNS responses larger than 65,535 bytes are handled in a way that allows the size value to wrap, producing a smaller allocation than the data ultimately copied. The mismatch corrupts adjacent heap structures inside the dns.exe process.
Attack Vector
An attacker registers or controls a domain and configures its authoritative name server to return crafted responses. The attacker then induces a query toward that domain from the victim DNS server, for example by sending an email that triggers a SPF or MX lookup, or by browsing a page that references the domain. The malicious response is returned over TCP and processed by dns.exe, leading to memory corruption and code execution in the security context of LocalSystem. Refer to the Microsoft Security Advisory CVE-2020-1350 and the Packet Storm Exploit Analysis for additional technical detail.
Detection Methods for CVE-2020-1350
Indicators of Compromise
- Unexpected crashes or restarts of the DNS service (dns.exe) recorded as Windows Error Reporting events or Service Control Manager event ID 7031 / 7034.
- Inbound DNS responses over TCP carrying SIG (type 24) records with abnormally large RDATA fields exceeding 64 KB.
- DNS servers initiating recursive queries to newly registered or low-reputation external domains shortly before a service fault.
- Child processes spawned by dns.exe, especially command interpreters such as cmd.exe or powershell.exe, which should never occur during normal operation.
Detection Strategies
- Inspect TCP DNS traffic for responses larger than 65,535 bytes and for SIG records with malformed length fields using IDS signatures distributed for SIGRed.
- Hunt for process lineage anomalies where dns.exe is the parent of any non-DNS binary, indicating successful exploitation.
- Correlate DNS service crashes with preceding outbound recursive queries to identify attempted exploitation that failed to gain code execution.
Monitoring Recommendations
- Enable DNS diagnostic logging and forward Microsoft-Windows-DNSServer/Analytical events to a central SIEM for retention and analysis.
- Monitor Domain Controllers and DNS servers for memory corruption indicators using endpoint behavioral telemetry rather than signature-based scanning alone.
- Track changes to the TcpReceivePacketSize registry value under HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters, which is used in the official workaround and should not be altered unexpectedly.
How to Mitigate CVE-2020-1350
Immediate Actions Required
- Apply the July 2020 Microsoft security update for every Windows Server running the DNS Server role, prioritizing Domain Controllers.
- If patching must be delayed, implement the registry workaround that caps the maximum allowed inbound TCP DNS packet size and restart the DNS service.
- Restrict outbound DNS recursion from server-class systems that do not require it, and place internet-facing resolvers behind filtering proxies.
- Audit all Windows Servers for the DNS Server role using Get-WindowsFeature DNS to ensure no unpatched instance is overlooked.
Patch Information
Microsoft released cumulative and security-only updates for CVE-2020-1350 on July 14, 2020, covering Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, and 2019. Full update identifiers and download links are listed in the Microsoft Security Advisory CVE-2020-1350. Because the vulnerability is in the CISA Known Exploited Vulnerabilities catalog, federal agencies are required to remediate within the published timeline.
Workarounds
- Set the registry value HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\TcpReceivePacketSize to 0xFF00 (DWORD) to reject DNS responses large enough to trigger the overflow.
- Restart the DNS service after applying the workaround so that the new packet size limit takes effect.
- Remove the DNS Server role from systems that do not require it to reduce the attack surface until full patching is complete.
# Configuration example - SIGRed registry workaround
reg add "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v TcpReceivePacketSize /t REG_DWORD /d 0xFF00 /f
net stop DNS
net start DNS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
