SAMBA Badlock Bug – Vulnerability Information
This page is dedicated to information regarding the Badlock Bug, CVE-2016-2118 / MS16-047 / CVE-2016-0128.
A security risk in Windows SMB (Server Message Blocks) and the open source implementation of the SAMBA protocol has been disclosed, getting dubbed SAMBA Badlock Bug by the disclosing security researchers. Microsoft and the SAMBA team jointly released a fix for CVE-2016-2118 (Samba) / CVE-2016-0128 (Microsoft). Initially it was presented as something beyond the normal – Something which after its presentation is questioned, see discussion at the end of the post regarding “vulnerability branding”, but essentially Microsoft rate the patch as important, but no more. While a man in the middle and DoS vulnerability may not quite be the type of vulnerability everybody was waiting for, it should still be taken seriously and patched.
What to tell your Boss
Due to the hype associated with this vulnerability, you will likely get a lot of questions about it. Overall, nothing fundamentally changed:
- Patch as you get to it, but no reason to rush this one
- Do not use SMB over networks you don’t trust
- Firewall SMB inbound and outbound
- If you need to connect to remote file shares, do so over a VPN.
Information was released on April 12th after an earlier announcement from German company SerNet, at the bugs dedicated website http://badlock.org/, alerting on the upcoming patch release. The early announcement informed administrators and system owners that the patch is critical and of high priority. The authors expect that attacks will follow soon after the patch release, generally an issue when reverse engineering of a fix allows analysts to pinpoint what data was adjusted in a fix.
Formally, the vulnerability is listed as CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) and for Microsoft as MS16-047 / CVE-2016-0128.
Base: 7.1 (High); Temporal: 6.4 (Medium)
Microsoft list the update as “Important”
Related CVEs are also:
- CVE-2015-5370 (Multiple errors in DCE-RPC code)
- CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
- CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
- CVE-2016-2112 (LDAP client and server don’t enforce integrity)
- CVE-2016-2113 (Missing TLS certificate validation)
- CVE-2016-2114 (“server signing = mandatory” not enforced)
- CVE-2016-2115 (SMB IPC traffic is not integrity protected)
- Samba Security
- Samba CVE-2016-2118
- Microsoft Technet
- National Vulnerability Database
Nature of the vulnerabilities:
Mainly the vulnerabilities are man-in-the-middle vulnerabilities, meaning an attacker will have to intercept traffic and make changes to it.
Those affect a variety of protocols used by Samba.
These would permit execution of arbitrary Samba network calls using the context of the intercepted user. In bad scenarios this could entail modifying secrets in the AD database, including user password hashes. It is also possible to use the attacks for Denial of Service attacks, as this affects core services in most organizations it can have a severe impact on availability.
For standard Samba servers it is possible to modify user permissions on files or directories. Samba services are also vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.
Exploitability is proven
Affected and patched versions of SAMBA Badlock Bug
Affected versions of Samba are:
Patched versions are (both the interim and final security release have the patches):
- 4.2.10 / 4.2.11,
- 4.3.7 / 4.3.8,
- 4.4.1 / 4.4.2.
Why the attention
As a vulnerability management vendor, you know that not all bugs are equal. You also know that the ones promoted with logotypes and media coverage may not always be the worst, but they are the ones which drive questions, and hence something we must provide answers to. Over the last few years we have seen several “named” bugs, such as Poodle, ShellShock, HeartBleed, Beast and more. There is an advantage in increased awareness, but then we also see other researchers drawing less attention to their findings where critical risks remain overlooked by the security industry.
Examples in the latter case are for example the Java Deserialization issues in the common collections library. The original research were presented in January 2015, at slideshare, but it was not until November the same year Foxglove Security drew attention to the issue and hence got a far higher level of awareness of the threat, and an actual start of implementation of security fixes.
It should also be noted that the MS16-045 Hyper-V Code Execution from Guest OS, essentially a sandbox escape from virtual system to host OS via code execution, were a far more “interesting” issue from trust boundary perspectives.
Badlock was discovered by Stefan Metzmacher, a member of the Samba Core Team.
Badlock Bug is not the first vulnerability in SMB, and due to its complexity likely not the last. Due to the components core role in how Microsoft systems communicate and are managed, security issues in the component often has a high impact on security – A historical example would be MS09-001.