CVE- 2020-1350 aka SIGRed

A new critical CVE is in the wild and actively being exploited. As below:

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

Advise is to update ASAP. The workaround can be found here: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

A powershell command is available to disable large DNS requests and responses

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters" -PropertyType DWORD -name TcpReceivePacketSize -Value '0xFF00' -Force Restart-Service "DNS Server" -Forced

Ideally, the patch needs to be applied as soon as possible.

More can be found here https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Migrate your Unifi Cloud Controller

Moving Unifi Cloud Controllers can be difficult. You may need to do this because you are:

  • Hosting on an old operating system
  • Moving platforms
  • You want to change the FQDN or inform address
  • Like making life hard for yourself

There is no defined way on how to do this – however, we’ve found a way that works quite well.

Scenario

We had a very old Ubuntu server running Unifi Cloud Controller. The version had a few issues, specifically around mongodb database packages. Instead of trying to fix this, we decide to move to a new server based on Debian 9.5.

We tried simply standing up another server with Debian 9.5 installed with a backup of our Unifi Cloud Controller applied. We then change our DNS to point from the old server to the new server.

This didn’t work

We got many issues around too many devices being connected at once. This is the new DDoS protection built in to the Cloud Controller. Also, some devices simply refused to connect to the new server, even though everything was essentially the same.

The Correct Way

We found the correct way to do this is to migrate your sites. In order to do this you need to have your second server built. We configured a new server, again on Debian 9.5 on AWS.

Old Server: wireless.contoso.com
New Server: unifi.contoso.com

Now you are ready to migrate your sites.

  1. Log in to your old controller and select the site you want to migrate
  2. Select settings -> Site and click Export Site
  3. You will first need to download the settings from this site and apply it to your new server
  4. Once this is done, select next confirming you have applied the settings, then set the FQDN of the new server and the devices which you want to migrate
  5. You will now see the device show up on your new Unifi Controller – note they will re-provision and anything connected will be briefly disconnected
  6. The last option is to forget the device on the old controller. I wouldn’t do this unless you are sure. Make sure your device is working as expected on the new server before the old device is removed.

There you go – you’ve done it.