Identify SIGRred-vulnerable DNS servers
Kaseya VSA Procedure
Audit - SIGRed Vulnerability Check
Kaseya VSA Agent Procedure to detect if a DNS Server is vulnerable to SIGRed wormable exploit (CVE-2020-1350).
Full Guide: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
The procedure will first check if the endpoint is running Windows DNS Server
The procedure will then check the Windows DNS Server executable file to see if it has a date older than the one included in July 14, 2020 Monthly or Security Only Rollup (and future rollups).
It will also check the registry and report if the registry mitigation is present.
The following custom fields must be created prior to running this procedure:
SIGRed
Requires PowerShell.
Update 7/22/20 - Modified initial DNS server checks to better evaluate older DNS server versions.
SIGRed Exploit CVE-2020-1350 has no reviews.
Hey Mark, you should make sure to create the custom field.
I'm failing step 4 (Line 9), any ideas?
Matthew, please check your agent Procedure Logs and look for the "DEBUG" entry that looks like this. The results must show either True or False. Example:
4:36:29 pm 23-Jul-20 Audit - SIGRed Vulnerability Check DEBUG: DNS Server Check results: True
4:36:29 pm 23-Jul-20 Execute Shell command - Get Results to Variable Success THEN
4:36:28 pm 23-Jul-20 Execute Shell command - Get Results to Variable-0005 Executing command in 64-bit shell as system: powershell.exe "[IO.FileInfo] $DNSServer = 'C:\Windows\System32\dns.exe'; $DNSServer.Exists" >"C:\KTemp\commandresults-206495958.txt" 2>&1
2nd check is failing
FAILED in processing THEN step 2, Get Variable, with error File Open Failed, Get content from file c:\[my kworking]\SIGRed_results.txt
i suspect it has to do with line 11 / 13
yeah it worked for me when i manually hardcoded line 11 and 13 to point to my working directory rather than c:\ktemp
a more sensible solution is to replace
Out-file C:\KTemp\SIGRed_results.txt
That's right Chris. An updated version will be posted this week. Thanks for the tip!
Anyone else failing on line 5