CVE-2020-1350: SigRed — The Wormable Windows DNS Server RCE
A 17-year-old heap overflow in the Windows DNS Server that earned a perfect CVSS 10.0 — wormable, pre-authentication, and requiring no user interaction to take over any Windows Server acting as a DNS resolver
CVE-2020-1350, named SigRed, is a critical heap overflow vulnerability in the Windows DNS Server service (dns.exe) that was present in every Windows Server release from 2003 to 2019 — a 17-year-old bug discovered by Check Point Research and patched by Microsoft in July 2020. An attacker can send a specially crafted DNS SIG record response to trigger the overflow and achieve SYSTEM-level remote code execution on any Windows Server functioning as a DNS resolver, with no authentication and no user interaction required. It received the maximum CVSS score of 10.0 and was classified as wormable.
Root Cause: SIG Record Parsing Heap Overflow
The Windows DNS Server processes DNS responses containing SIG (signature) resource records as part of DNSSEC operation. The vulnerable code path in dns.exe reads the length field of a SIG record and uses it to allocate a heap buffer. A crafted SIG record with a length value that causes an integer overflow during the allocation calculation results in a heap buffer that is smaller than the data subsequently written into it.
The exploit requires the attacker to either: - Control a malicious DNS server that the target Windows DNS Server forwards queries to (DNS forwarding chain attack), or - Be in a position to send a crafted DNS response over UDP or TCP to the target
Because DNS servers routinely query external resolvers and forward queries to upstream nameservers, the forwarding-chain attack is particularly dangerous — a single compromised or malicious external DNS server can trigger SigRed on any corporate DNS server that forwards to it.
Wormability: Why CVSS 10.0
SigRed received the maximum CVSS score of 10.0 partly due to its wormable classification. A wormable vulnerability can self-propagate across a network without additional attacker interaction:
1. Attacker compromises DNS Server A via SigRed 2. DNS Server A is now weaponized to serve malicious SIG records 3. Any DNS Server B that queries Server A receives the malicious response 4. Server B is compromised 5. The cycle continues across the DNS infrastructure
In an enterprise environment where multiple Windows DNS servers forward to a common external resolver, a single poisoned response could cascade across the entire internal DNS infrastructure. Combined with the SYSTEM execution privilege — which allows complete OS control including credential dumping and lateral movement — the potential blast radius is total domain compromise.
Attack Chain
The SigRed exploitation path targeting a corporate DNS server:
Position for DNS Response Injection
Attacker controls a malicious DNS server reachable from the target, or performs DNS response spoofing. The target Windows DNS Server must query the attacker's server — typically via a forwarding configuration or recursive resolution of an attacker-registered domain.
Malicious SIG Record Returned
Attacker's DNS server responds to a query with a crafted SIG resource record containing a length field that triggers an integer overflow in dns.exe during heap allocation.
Heap Overflow in dns.exe
Windows DNS Server allocates an undersized heap buffer based on the corrupted length value, then writes controlled data beyond the buffer boundary, corrupting adjacent heap structures.
SYSTEM Code Execution
Heap corruption leads to controlled code execution within the dns.exe process, which runs as SYSTEM. Attacker achieves full OS control on the DNS server.
Domain Compromise and Lateral Propagation
DNS server with SYSTEM privileges enables credential harvesting, Active Directory reconnaissance, and — in the wormable scenario — poisoning of downstream DNS servers querying the now-compromised resolver.
Affected Versions
CVE-2020-1350 affects all Windows Server versions where the DNS Server role is installed:
- Windows Server 2003 (no longer supported, no patch) - Windows Server 2008 / 2008 R2 - Windows Server 2012 / 2012 R2 - Windows Server 2016 - Windows Server 2019
Only systems with the DNS Server role actively running are vulnerable. Domain Controllers frequently run DNS Server by default, making them a primary target — a compromised DC provides immediate domain-wide access.
Detection
Indicators and detection approaches for CVE-2020-1350 exploitation attempts:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| DNS responses containing oversized SIG records (total response > 65,280 bytes) | Network — DNS traffic capture | Filter DNS traffic for responses exceeding 65KB; the workaround registry key also indirectly detects this by dropping such responses |
| dns.exe process crash events or unexpected restarts in Windows Event Log | Windows Event Log — Application/System | Failed exploitation attempts may cause dns.exe to crash; Event ID 1000 (Application Error) with faulting module dns.exe |
| Unexpected child processes spawned by dns.exe | Process telemetry (EDR) | dns.exe spawning cmd.exe, powershell.exe, or other shells is a strong post-exploitation indicator; dns.exe should not have interactive child processes |
| Anomalous outbound DNS-over-TCP connections to external IPs | Network telemetry | SigRed exploit may require TCP DNS (for larger payloads); monitor for DNS Server initiating TCP/53 connections to unexpected external resolvers |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Apply the July 2020 Patch Tuesday update
The fix is in the July 14, 2020 cumulative update (KB4565503 for Windows Server 2019, and corresponding KBs for earlier versions). This is the only complete remediation. Verify via Windows Update history or WSUS compliance reports.
Apply the registry workaround as an emergency measure
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\TcpReceivePacketSize to 0xFF00 (DWORD). This caps the maximum DNS message size and prevents the oversized SIG record from triggering the overflow. Requires DNS service restart (not a reboot). This workaround was confirmed effective by Microsoft.
Audit DNS forwarding configurations
Review all Windows DNS Server forwarding targets. Remove unnecessary external forwarders. If DNS servers must forward externally, ensure they only forward to known, trusted resolvers (e.g., your ISP's resolvers or a managed service). Eliminate any forwarder pointing to untrusted or unknown IP addresses.
Isolate DNS servers from unnecessary internet exposure
DNS servers should not have their DNS port (UDP/TCP 53) exposed to the internet beyond what is required for authoritative zone serving. Recursive resolvers should be internal-facing only. Restrict DNS server network access using firewall rules to limit which external hosts can send DNS responses to the server.
Prioritize Domain Controllers running DNS Server
Domain Controllers with the DNS Server role installed are the highest-priority targets. A compromised DC via SigRed immediately yields domain admin-equivalent access. Ensure these systems are patched first in any deployment wave.
The bottom line
SigRed is a reminder that some of the most dangerous vulnerabilities are hiding in protocol implementations that have been trusted for decades. A 17-year-old bug in the Windows DNS Server, requiring zero authentication and carrying wormable potential, illustrates why even foundational network services need regular security review. Domain Controllers running DNS Server should be treated as the highest-priority patch targets in any Windows environment — they are simultaneously the most capable and most attractive targets for this class of vulnerability.
Frequently asked questions
What is CVE-2020-1350 (SigRed)?
CVE-2020-1350, named SigRed by Check Point Research, is a wormable heap overflow vulnerability in the Windows DNS Server component (dns.exe) present in all Windows Server versions from 2003 to 2019. It allows unauthenticated remote code execution at SYSTEM level by sending a specially crafted DNS response. It received the maximum CVSS score of 10.0.
Was SigRed ever exploited in the wild?
Microsoft did not report confirmed wild exploitation of CVE-2020-1350. However, the 17-year age of the bug means it could have been known to sophisticated actors before public disclosure. The patch was released the same day as the Check Point research publication.
Is a workaround available if patching is not immediate?
Yes. Microsoft published a registry-based workaround that sets the maximum DNS message length to 0xFF00 (65280 bytes), preventing the oversized SIG record from triggering the overflow. This can be applied without a reboot but is a temporary measure — the July 2020 patch is the definitive fix.
Does SigRed affect DNS clients (workstations)?
No. CVE-2020-1350 is a server-side vulnerability in the Windows DNS Server service. Standard DNS clients and workstations forwarding queries to an affected server are not directly exploitable — but a compromised DNS server can intercept and manipulate all DNS traffic for clients that use it.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.