Sigred 1200

SIGRed Exploit CVE-2020-1350

Identify SIGRred-vulnerable DNS servers

Description

Kaseya VSA Procedure
Audit - SIGRed Vulnerability Check

Kaseya VSA Agent Procedure to detect if a DNS Server is vulnerable to SIGRed wormable exploit (CVE-2020-1350).
Full Guide: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

The procedure will first check if the endpoint is running Windows DNS Server
The procedure will then check the Windows DNS Server executable file to see if it has a date older than the one included in July 14, 2020 Monthly or Security Only Rollup (and future rollups).
It will also check the registry and report if the registry mitigation is present.

The following custom fields must be created prior to running this procedure:
SIGRed

Requires PowerShell.

Update 7/22/20 - Modified initial DNS server checks to better evaluate older DNS server versions.

Class
Agent Procedure
Developer
  • Name: Colton Morrison
  • Company: CHR Solutions
  • Website: https://chrsolutions.com
  • Contact Developer
    • Summary
  • SIGRed Exploit CVE-2020-1350
  • 29 Downloads
  • Version:
  • Initially Released July 17th, 2020
    • Reviews

    SIGRed Exploit CVE-2020-1350 has no reviews.

    Discussion
    Gravatar for mark
    mark 11 months ago

    Anyone else failing on line 5

    Gravatar for Kaseya Automation Team
    Kaseya Automation Team 11 months ago

    Hey Mark, you should make sure to create the custom field.

    Gravatar for Matthew Steel
    Matthew Steel 11 months ago

    I'm failing step 4 (Line 9), any ideas?

    Gravatar for Colton Morrison
    Colton Morrison 11 months ago

    Matthew, please check your agent Procedure Logs and look for the "DEBUG" entry that looks like this. The results must show either True or False. Example:

    4:36:29 pm 23-Jul-20 Audit - SIGRed Vulnerability Check DEBUG: DNS Server Check results: True

    4:36:29 pm 23-Jul-20 Execute Shell command - Get Results to Variable Success THEN 

    4:36:28 pm 23-Jul-20 Execute Shell command - Get Results to Variable-0005 Executing command in 64-bit shell as system: powershell.exe "[IO.FileInfo] $DNSServer = 'C:\Windows\System32\dns.exe'; $DNSServer.Exists" >"C:\KTemp\commandresults-206495958.txt" 2>&1 

    Gravatar for Chris
    Chris 11 months ago

    2nd check is failing 

    FAILED in processing THEN step 2, Get Variable, with error File Open Failed, Get content from file c:\[my kworking]\SIGRed_results.txt


    i suspect it has to do with line 11 / 13

    Gravatar for Chris
    Chris 11 months ago

    yeah it worked for me when i manually hardcoded line 11 and 13 to point to my working directory rather than c:\ktemp


    Gravatar for Chris
    Chris 11 months ago

    a more sensible solution is to replace 

    Out-file C:\KTemp\SIGRed_results.txt

    in lines 11 and 13 with 

    Out-file #AgentTempDir#\SIGRed_results.txt


    Gravatar for Colton Morrison
    Colton Morrison 11 months ago

    That's right Chris. An updated version will be posted this week. Thanks for the tip!