Jump to content
rookie

CVE-2020-1350 SIGRed Registry Mitigation Powershell Script

Recommended Posts

If anyone needs the registry mitigation I put this together w/ some helpful error output and filtering. Script notes should suffice to figure out what's it's doing, enjoy!

 

Try {
    ## Verify this is a server OS before continuing
    $serverCheck = (Get-CimInstance Win32_OperatingSystem).Caption

    If ($serverCheck -notlike '*Server*') {
        $fail = $True
        Write-Warning "This mitigation is only intended for Servers and this machine is running $serverCheck, unable to apply mitigation."
    } Else {
        ## Check to see if the DNS role is active so we don't make registry changes on machines that don't need them
        $dnsRoleCheck = (Get-WindowsFeature DNS).Installed

        If ($dnsRoleCheck -ne 'True') {
            $fail = $True
        }
    }
} Catch {
    $fail = $True
    Write-Warning "$env:COMPUTERNAME failed to check for the DNS role install status."
}


## If the script confirmed this has the DNS role, apply the mitigations
If (!$fail) {
    ## Set reg path we'll be working from
    $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

    Try {
        ## If the TcpReceivePacketSize DWORD value doesn't exist in registry, create it
        If (!(Get-ItemProperty -Path $regPath -Name TcpReceivePacketSize -EA 0)) {
            New-ItemProperty -Path $regPath -Name TcpReceivePacketSize -Value 0xFF00 -PropertyType DWORD | Out-Null
            $restartDNS = $True
            Write-Output 'Applied SIGred CVE-2020-1350 DNS registry mitigation'
        }
     
        ## If the TcpReceivePacketSize DWORD in registry doesn't have the 0xFF00 value for the mitigation, update it to 0xFF00
        If (((Get-ItemProperty -Path $regPath -Name TcpReceivePacketSize -EA 0).TcpReceivePacketSize) -ne 65280) {
            Set-ItemProperty -Path $regPath -Name TcpReceivePacketSize -Value 0xFF00 | Out-Null
            $restartDNS = $True
            Write-Output 'Registry mitigation for SIGred CVE-2020-1350 DNS was present, but had the wrong value. Set value to 0xFF00'
        }
    } Catch {
        $fail = $True
        Write-Warning "Failed to create or update the registry key at $regPath, mitigation have not been successfully implemented."
    }


    ## If changes were made to DNS in registry, restart DNS services
    Try {
        If ($restartDNS) {
            Restart-Service DNS
            Write-Output 'Restarted DNS services'
        }
    } Catch {
        $fail = $True
        Write-Warning "Failed to restart DNS services. DNS Services must be restarted in order for this mitigation to apply."
    }
}


## Final output of success/fail
If ($fail) {
    Write-Warning "!FAILED: Failed to apply mitigations for SIGred CVE-2020-1350. `r`n`r`nVerbose error output: $Error"
} Else {
    Write-Output '!SUCCESS: Successfully applied mitigations for SIGred CVE-2020-1350'
}

 

Share this post


Link to post
Share on other sites

Thanks for this! I did notice this failure on a couple of my DNS servers, any idea on how to fix this:

WARNING: SERVER failed to check for the DNS role install status.
WARNING: !FAILED: Failed to apply mitigations for SIGred CVE-2020-1350.

Verbose error output: The term 'Get-CimInstance' is not recognized as the name 
of a cmdlet, function, script file, or operable program. Check the spelling of 
the name, or if a path was included, verify that the path is correct and try 
again.

Share this post


Link to post
Share on other sites
7 hours ago, Sailons24 said:

Thanks for this! I did notice this failure on a couple of my DNS servers, any idea on how to fix this:

WARNING: SERVER failed to check for the DNS role install status.
WARNING: !FAILED: Failed to apply mitigations for SIGred CVE-2020-1350.

Verbose error output: The term 'Get-CimInstance' is not recognized as the name 
of a cmdlet, function, script file, or operable program. Check the spelling of 
the name, or if a path was included, verify that the path is correct and try 
again.

What OS and version of powershell? 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...