Microsoft released the SIGred security patch for Windows Servers 2008 to 2019. All these Windows Servers with the DNS role installed are affected. There is a security-only update and a monthly rollup update. Up to you which one you like to install. After installing one of the updates and a reboot, the SIGRed patch fails in Windows Server 2008 R2. The error is showing: Failure configuring Windows updates. Reverting changes. Do not turn off your computer. Why is it happening and what is the solution to it?
SIGRed Windows DNS Server Remote Code Execution Vulnerability
CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability is discovered by Check Point. Microsoft rates the vulnerability with the highest possible risk level 10.0 on the scale of the “Common Vulnerability Scoring System” (CVSS).
Check Point researchers recently discovered a critical vulnerability that would allow an attacker to do exactly this in Windows DNS Server, an essential component of any Windows network environment. We reported it to Microsoft, who acknowledged it as a critical vulnerability (CVSS score 10.0 – indicating the highest possible severity) and issued an urgent patch for it. We strongly recommend users apply the patch to their affected Windows DNS Server versions from 2003 to 2019 to prevent the exploitation of this vulnerability.
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server. The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
SIGRed disclosure timeline
- 19 May 2020 – Initial report to Microsoft.
- 18 Jun 2020 – Microsoft issued CVE-2020-1350 to this vulnerability.
- 09 Jul 2020 – Microsoft acknowledged this issue as a wormable, critical vulnerability with a CVSS score of 10.0.
- 14 Jul 2020 – Microsoft released a fix (Patch Tuesday).
SIGRed Microsoft patch fails to install in Windows Server 2008 R2
You cannot install KB4565524 or KB4565539 on Server 2008 R2, it’s failing. At first, it’s looking great because it’s installing the update. After the update, you have to reboot. After a restart of the server, it will show the following error: Failure configuring Windows updates. Reverting changes. Do not turn off your computer. The Windows Server 2008 R2 did not install the updates, it failed.
Why did the SIGRed patch fails to install in Windows Server 2008 R2?
Solution KB4565524 and KB4565539 failing to update
You are missing the Extender Security Updates (ESU) license. If you don’t buy it, the SIGRed patch by Microsoft will fail when updating.
Click the following pages and go to the prerequisites section:
Before installing this update, the prerequisites are:
You must install the updates listed below and restart your device before installing the latest Rollup. Installing these updates improves the reliability of the update process and mitigates potential issues while installing the Rollup and applying Microsoft security fixes.
- The March 12, 2019 servicing stack update (SSU) (KB4490628). To get the standalone package for this SSU, search for it in the Microsoft Update Catalog. This update is required to install updates that are only SHA-2 signed.
- The latest SHA-2 update (KB4474419) released September 10, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically. This update is required to install updates that are only SHA-2 signed. For more information on SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
- The June 9, 2020 SSU (KB4562030) or later. To get the standalone package for this SSU, search for it in the Microsoft Update Catalog.
- The Extended Security Updates (ESU) Licensing Preparation Package (KB4538483) released February 11, 2020. The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the Microsoft Update Catalog.
Now I do recommend that you update all your machines to Windows Server 2016 or Windows Server 2019. In the meanwhile patch the DNS vulnerability, have a look at the next step.
Patch DNS vulnerability with registry
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that’s allowed.
Patch Windows Server DNS vulnerability with Group Policy Management
Create a GPO in Group Policy Management with the following registry key. Link the GPO to the Windows Server 2008 R2 that do have the DNS role installed.
Value data: 0xFF00
Run Command Prompt as administrator and restart the DNS services: net stop DNS && net start DNS
Patch Windows Server DNS vulnerability with Command Prompt
If you only have a couple of Windows Server 2008 R2 with the DNS role installed, you can add the registry key manually. To speed it up, use Command Prompt.
Run Command Prompt as administrator. Make use of the reg-add command.
C:\>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
C:\>net stop DNS && net start DNS
Patch Windows Server DNS vulnerability with PowerShell
Run PowerShell as administrator. Run the following three cmdlets.
PS C:\> $null = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Force
PS C:\> New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\parameters -Name "TcpReceivePacketSize" -PropertyType DWord -Value 0xFF00 -Force
TcpReceivePacketSize : 65280
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\par
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName : parameters
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PS C:\> Restart-Service DNS
The Windows Server 2008 R2 is now protected for the vulnerability CVE-2020-1350. Keep in mind that you still can’t update to new security updates and monthly rollup updates.
In this article, you learned why the SIGRed patch fails in Windows Server 2008 R2. Make sure to have the prerequisites installed in Windows Server 2008 R2. Do that before installing one of the updates mentioned in this article. If you are going to upgrade to a newer Windows Server and not going to buy ESU, create a registry key in Windows Server 2008 R2 to patch the vulnerability.
I recommend you to upgrade the Windows Servers 2008 R2 to Windows Server 2016/2019. After that, decommission all the Windows Server 2008 R2 systems.
Did you enjoy this article? If so, you may like Disable Windows Firewall with PowerShell. Don’t forget to follow us and share this article.