What OT Security Practitioners Need to Know About SIGRed
By the Claroty Research Team
As part of its Patch Tuesday batch of software updates released last week, Microsoft issued a fix for CVE-2020-1350, a 17-year-old remote code execution flaw that could allow an attacker to send malicious requests to Windows DNS Servers. Dubbed “SIGRed” by the cybersecurity researchers at Check Point who discovered it, CVE-2020-1350 is a “wormable” vulnerability, which means it can spread from one infected machine to another without human interaction.
All users of affected Windows DNS Server versions 2003 to 2019 are advised to update immediately if possible. For users unable to immediately implement the fix, Microsoft also provided a registry-based workaround which can be implemented without restarting the server. Microsoft noted that due to the volatility of SIGRed, administrators may need to implement the workaround before applying the security update. In addition, Claroty customers received a critical bundle containing the CVE and Snort signatures for SIGRed.
The Claroty Research Team would like to emphasize the following takeaways for those tasked with securing OT environments:
SIGRed’s severity cannot be understated.
SIGRed’s highly damaging potential can be attributed to its wormable self-spreading capabilities combined with the ease and high likelihood of its exploitation given the availability of its POC code. While the Common Vulnerability Scoring System (CVSS) is flawed system for assessing the level of risk CVEs pose to OT environments, the fact that SIGRed was given a rare perfect score (10 out of 10) in terms of severity is a testament to its potentially devastating impact on businesses worldwide. Furthermore, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive giving federal government agencies 24 hours to patch the vulnerability.
Windows DNS Servers are widely used within OT environments.
Only a handful of DNS servers are widely used, meaning that SIGRed likely poses a threat to practically every small-to-medium-sized business in the world. Furthermore, it would be a big mistake for those tasked with defending operational technology (OT) to assume SIGRed’s scope is limited to the realm of information technology (IT).
In fact, Claroty’s researchers have noted the widespread use of Microsoft’s Active Directory service within OT environments. Furthermore, Claroty researchers have also observed a concerning number of OT assets with Internet-accessible DNS servers, which are especially susceptible to SIGRed’s ability to self propagate.
OT network segmentation and vulnerability management are your best insurance policy.
When it was disclosed last week, SIGRed’s wormable remote execution capabilities drew immediate concern it could follow in the footsteps of EternalBlue, the vulnerability that enabled the NotPetya and WannaCry ransomware attacks to wreak havoc on businesses worldwide in 2017.
More than two months passed between when the EternalBlue patch was issued and the NotPetya attacks occurred, and by applying that patch, many organizations could have avoided catastrophic damage. Given history’s tendency to repeat itself, security practitioners would be wise to patch SIGRed as soon as possible, despite the costly and disruptive nature of patch administration.
In reality, it’s impossible to fully predict when a cyber attack of a similar scale will occur. That being said, proactively adopting two essential best practices can help organizations fortify their OT environments from the next large-scale wormable vulnerability exploitation:
Network Segmentation: Wormable vulnerabilities like SIGRed and EternalBlue can enable the rapid spread of malware across networks that lack proper segmentation. As such, investing time and effort into ensuring your OT environment is aligned with the Purdue Model and other network segmentation best practices is an essential component of any effective OT defense strategy.
Vulnerability Management: When it comes to effective OT vulnerability management, security practitioners must be able to identify which security flaws are present within OT assets, as well as the ability to accurately assess the level of risk posed by each vulnerability.
To learn how The Claroty Platform can help you protect your OT environment from emerging vulnerabilities and other threats, request a demo.