On March 11, 2016 the domain badlock.org was registered by German consultancy SerNet in order to create a brand for a series of vulnerabilities discovered by Stefan Metzmacher. 11 days later, on March 22, the InfoSec community on Twitter started to circulate the site’s ominous warnings for a “crucial security bug in Windows and Samba,” with major tech news sites such as Wired and The Register adding to the buzz shortly after. Details slowly trickled out over the following weeks, and the affected versions of Samba were listed on April 2nd. Apparently, SerNet began to feel the pushback against the over-branded hype, and they added a response to the Badlock site saying, “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it.”
On April 12, the full details of Badlock, which are really a collection of several interrelated vulnerabilities, were released and timed specifically to align with Microsoft’s regular “Patch Tuesday” announcement. Reaction to the disclosure has been mixed. The relevant Windows patch is rated “Important” by Microsoft, not critical. That along with Badlock’s overall CVSS 3.0 score of 7.1 (high) does not reflect the three weeks of blockbuster-style marketing and PR as “crucial” that rivaled the far more critical and ubiquitous Heartbleed and Shellshock vulnerabilities.
Badlock consists of eight separate vulnerabilities, all detailed in separate CVE’s:
CVE-2015-5370 – Multiple errors in DCE-RPC code: Errors that prevent proper validation of specially crafted DCE-RPC packets can result in denial-of-service (DoS) for Samba.
CVE-2016-2110 – Man-in-the-middle attacks possible with NTLMSSP: It is possible under certain conditions to remove required encryption related flags to disable encryption and allow a man-in-the-middle (MitM) attack against the Samba service.
CVE-2016-2111 – NETLOGON Spoofing Vulnerability: When Samba is configured as a Domain Controller, it allows an attacker to spoof the computer name of a client without the need for authentication. This allows the attacker to intercept potentially sensitive information.
CVE-2016-2112 – The LDAP client and server don’t enforce integrity protection: An attacker who has already obtained MitM status can remove integrity checks that are communicated between an LDAP client and server.
CVE-2016-2113 – Missing TLS certificate validation allows man-in-the-middle attacks: While, TLS/SSL are supported in vulnerable versions of Samba, certificates are never validated, which facilitate MitM attacks.
CVE-2016-2114 – “server signing = mandatory” not enforced: A bug in Samba prevents SMB signing, even if explicitly set, which again, facilitates MitM attacks.
CVE-2016-2115 – SMB client connections for IPC traffic are not integrity protected: SMB signing was again not enforced, this time for IPC traffic, and once more facilitating MitM attacks.
CVE-2016-2118 – SAMR and LSA man-in-the-middle attacks possible: Typically available on all Windows systems, this vulnerability allows an attacker positioned as a MitM to impersonate any user against the Security Account Manager (SAM) database and Local Security Authority (LSA). As a result, the attacker is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information.
The vulnerabilities disclosed under the Badlock name affect multiple versions of Samba and corresponding components found in the most recent versions of Windows and amount to either a MitM or DoS-style attacks.
Under the MitM scenario, a local attacker can intercept an authenticated session and perform Samba network calls under the current session context. Samba.org lists the following examples in their write-up:
- Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
- Standard Samba server – modify user permissions on files or directories.
It is important to note that the attacker would need to already have local access to the affected systems to properly execute this attack.
The DoS vulnerability is exploitable by a remote attacker and could bring down systems or services that rely on the Samba service.
No publicly available exploits have been identified for Badlock yet. SerNet has insinuated that they have proof-of-concepts, but no additional details have been released. Furthermore, while Microsoft has assigned Badlock an “Important” severity rating, they have assessed its exploitability at its lowest level: “3 – Exploitation Unlikely”.
The following versions of Samba are affected: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, 4.4.0 (earlier versions have not been assessed).
Microsoft lists most of its latest Windows operating systems as being affected by Badlock, specifically: Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Server 2012 R2, Windows RT 8.1, and Windows 10. They have also specifically noted that this vulnerability does not affect SMB, only the SAM and LSAD remote protocols.
The officially patched versions of Samba are: 4.2.10/4.2.11, 4.3.7/4.3.8 and 4.4.1/4.4.2. Versions earlier than 4.2.x have been discontinued and are no longer supported. It is recommended that organizations running older versions upgrade as soon as possible. Samba.org warns that due to the patch and related fixes, new options and defaults are present in the patched versions that might impact compatibility with older third-party software. Hints and workarounds for these scenarios are listed on the Samba.org site here.
Microsoft has released security bulletin MS16-047 to address this issue as part of April 12th’s regular “Patch Tuesday”.
While Badlock is certainly a concerning vulnerability that no doubt impacts an extremely large number of organizations and should be patched as soon as possible, the overblown hype and speculation it received leading up to its disclosure likely did more harm than good. For example, there were thirteen bulletins released on April 12th as part of Microsoft’s “Patch Tuesday.” Four of them had a “critical” severity, and one of those four (MS16-039) already has known remote command execution exploits in the wild. Despite this, discussions are focused on Badlock, a named vulnerability, where even according to SerNet, the name is arbitrary, as was the decision for it to be named in the first place.
Information security professionals need to tread carefully when it comes to creating awareness and not cross the line into generating unproductive fear, uncertainty, and doubt (FUD). As a penetration tester, I value the specific benefit that the branding gives to Heartbleed and Shellshock because it facilitates easier communication with our clients and brings awareness to truly critical issues. There will certainly be a future need for similar levels of awareness, and information security professionals should be much more calculated in these types of campaigns in order to retain our roles as trusted advisors.
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.