The Schwartz Report

Blog archive

Badlock Security Vulnerability: How Bad is It?

Experts say administrators should apply an important security patch (MS16-047: Security update for SAM and LSAD remote protocols) released by Microsoft ASAP to repair a vulnerability that could let an attacker intercept network communication between Linux and Unix clients and servers running the open source Samba file and print services connected to Active Directory. Despite the advice, some are scrutinizing the alarm level over the bug, which has the ominous name Badlock.

Critics claim the noise level about Badlock is unusually high, noting there are no known compromises based on the flaw. A report in Wired Tuesday indicated the German security company SerNet, whose engineer Stefan Metzmacher discovered and disclosed the bug later last month, has hyped severity of the bug. Some critics questioned the need for a separate domain and Web site SerNet created using the Heartbleed template and a prominent logo, with information about the bug.

"While we do recommend you roll out the patches as soon as possible -- as we generally do for everything -- we don't think Badlock is the 'Bug to End All Bugs,'" said Tod Beardsley, senior security research manager at security vulnerability and threat analytics provider Rapid7, in a blog post. "In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage."

The Badlock site contains information on the bug. Defending its decision to draw attention to Badlock, an explanation on the site argued: "What branded bugs are able to achieve is best said with one word: awareness. Furthermore, names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs."

Badlock is a protocol flaw in DCE/RPC, the core remote procedure call used for Samba file and print services along with its underlying sub-protocols Local Security Authority (LSA) for domain policies and the Security Account Manager Remote Protocol (SAMR), which are collectively used in the Microsoft Windows Active Directory infrastructure.

The risk of Badlock, if successfully exploited, is a hacker could intercept those over-the-network protocols, enabling distributed denial of service attacks or man-in-the middle (MITM) attacks, allowing an attacker to circumvent Active Directory authentication and change permissions and passwords.

"There are several MITM attacks that can be performed against a variety of protocols used by Samba," according to the Badlock site. "These would permit execution of arbitrary Samba network calls using the context of the intercepted user." The vulnerability applies to all applications implementing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128."

In a worst case scenario, the site warned an attacker could "view or modify secrets within an AD database, including user password hashes, or shutdown critical services," or on a "standard Samba server, modify user permissions on files or directories." The Samba project issued its own patches.

For Microsoft's part, the most critical of the 13 bulletins released this week was MS16-039, Security Update for Microsoft Graphics Component. That patch remediates vulnerabilities in Windows, the .NET Framework, Office, Skype for Business and Lync. The most significant risk is the potential to launch a remote code execution attack if a user opens certain documents or accesses Web pages with infected fonts, Microsoft said. Chris Goettl, a product manager at security vendor Shavlik, told the popular KrebsOnSecurity site that the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits.

Posted by Jeffrey Schwartz on 04/14/2016 at 12:43 PM


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus