The Schwartz Report

Blog archive

Badlock Security Vulnerability: How Bad is It?

Experts say administrators should apply an important security patch (MS16-047: Security update for SAM and LSAD remote protocols) released by Microsoft ASAP to repair a vulnerability that could let an attacker intercept network communication between Linux and Unix clients and servers running the open source Samba file and print services connected to Active Directory. Despite the advice, some are scrutinizing the alarm level over the bug, which has the ominous name Badlock.

Critics claim the noise level about Badlock is unusually high, noting there are no known compromises based on the flaw. A report in Wired Tuesday indicated the German security company SerNet, whose engineer Stefan Metzmacher discovered and disclosed the bug later last month, has hyped severity of the bug. Some critics questioned the need for a separate domain and Web site SerNet created using the Heartbleed template and a prominent logo, with information about the bug.

"While we do recommend you roll out the patches as soon as possible -- as we generally do for everything -- we don't think Badlock is the 'Bug to End All Bugs,'" said Tod Beardsley, senior security research manager at security vulnerability and threat analytics provider Rapid7, in a blog post. "In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage."

The Badlock site contains information on the bug. Defending its decision to draw attention to Badlock, an explanation on the site argued: "What branded bugs are able to achieve is best said with one word: awareness. Furthermore, names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs."

Badlock is a protocol flaw in DCE/RPC, the core remote procedure call used for Samba file and print services along with its underlying sub-protocols Local Security Authority (LSA) for domain policies and the Security Account Manager Remote Protocol (SAMR), which are collectively used in the Microsoft Windows Active Directory infrastructure.

The risk of Badlock, if successfully exploited, is a hacker could intercept those over-the-network protocols, enabling distributed denial of service attacks or man-in-the middle (MITM) attacks, allowing an attacker to circumvent Active Directory authentication and change permissions and passwords.

"There are several MITM attacks that can be performed against a variety of protocols used by Samba," according to the Badlock site. "These would permit execution of arbitrary Samba network calls using the context of the intercepted user." The vulnerability applies to all applications implementing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128."

In a worst case scenario, the site warned an attacker could "view or modify secrets within an AD database, including user password hashes, or shutdown critical services," or on a "standard Samba server, modify user permissions on files or directories." The Samba project issued its own patches.

For Microsoft's part, the most critical of the 13 bulletins released this week was MS16-039, Security Update for Microsoft Graphics Component. That patch remediates vulnerabilities in Windows, the .NET Framework, Office, Skype for Business and Lync. The most significant risk is the potential to launch a remote code execution attack if a user opens certain documents or accesses Web pages with infected fonts, Microsoft said. Chris Goettl, a product manager at security vendor Shavlik, told the popular KrebsOnSecurity site that the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits.

Posted by Jeffrey Schwartz on 04/14/2016 at 12:43 PM


comments powered by Disqus

Subscribe on YouTube