Bug hype haters gonna hate hate hate: Badlock flaw more like Sadlock

The Badlock flaw in Windows and Samba file servers has been revealed after weeks of hype and anticipation. It is not as critical as feared, but it's still an annoyance. Fixes and mitigations are available today.

In late March, we were alerted to what was described as a "crucial security bug" in Windows and Unix-flavored SMB file servers. Patches were promised on April 12, and no other details were disclosed. The bug was discovered by Stefan Metzmacher.

His employer SerNet – a German IT services biz – preemptively gave the vulnerability its own website, a sexy name, a Twitter hashtag, and a logo, which drew a healthy amount of skepticism from the infosec world: will the flaw live up to this hype? Is this what the computer security industry really needs right now?

More importantly, is the "crucial security bug" Badlock a remote-code-execution hole? No. A privilege-escalation bug? No, not really.

It can, though, be exploited to knock file servers offline, or impersonate users. This means man-in-the-middle attackers can log in as other people. To pull this off, the crim has to be on the network; this isn't going to be something a remote attacker can leverage directly (unless your corporate or business network is insane.)

Badlock turns out to be a bunch of software holes and protocol design blunders:

• CVE-2016-2118 and CVE-2016-0128:

  A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.

  • A miscreant on the network can downgrade the authentication level of an established connection to disable checks for tampering, allowing the attacker to alter what's sent between the server and client.
  • Affects Samba 3.6.0 to 4.4.0 (CVE-2016-2118) and all supported versions of Windows (CVE-2016-0128)
  • Apply fix or don't login as a privileged user on an unprotected network.
• CVE-2015-5370:

  Errors in Samba DCE-RPC code can lead to denial of service (crashes and high CPU consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.

  • Affects Samba from 3.6.0 to 4.4.0. Was discovered by Jouni Knuutinen from Synopsys and investigated by Jeremy Allison of the Samba Team and Google, and Stefan Metzmacher.
  • Apply fix. There is no workaround.
• CVE-2016-2110:

  The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.

  • A miscreant on the network can strip flags from connections that enforce anti-tamper measures and encryption. With these switched off, data between the server and client can be altered and spied on at will.
  • Affects Samba 3.0.0 to 4.4.0.
  • Apply fix. There is no workaround.
• CVE-2016-2111:

  When Samba is configured as Domain Controller, it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.

  • Affects Samba 3.0.0 to 4.4.0.
  • Apply fix. There is no workaround.
• CVE-2016-2112:

  A man in the middle is able to downgrade LDAP connections to no integrity protection. It's possible to attack client and server with this.

  • Again, it's possible for an attacker to remove the encryption and crypto-signing, allowing data to be transparently snooped and altered.
  • Affects Samba 3.0.0 to 4.4.0.
  • Apply fix. There is no workaround.
• CVE-2016-2113:

  Missing TLS certificate validation allows man in the middle attacks.

  • Samba just doesn't check if the server's certificate is valid, allowing an attacker to masquerade as a legit LDAPS and HTTPS server.
  • Affects Samba 4.0.0 to 4.4.0.
  • Apply fix. There is no workaround.
• CVE-2016-2114:

  Due to a regression introduced in Samba 4.0.0, an explicit server signing = mandatory in the [global] section of smb.conf was not enforced for clients using the SMB1 protocol.

  • Without SMB signing, traffic can be altered without the server and client knowing.
  • Affects Samba 4.0.0 to 4.4.0.
  • Apply fix or add server min protocol = SMB2 to smb.conf after server signing = mandatory. This will lock out SMB1-only clients – but you shouldn't be using SMB1 anyway.
• CVE-2016-2115:

  Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers ... which makes man in the middle attacks possible.

  • Affects Samba 3.0.0 to 4.4.0.
  • Apply fix or set client signing = mandatory in the [global] of smb.conf.

The patches for these bugs can be obtained and installed from the Samba website, your favorite Linux distribution package manager, and Microsoft's Patch Tuesday batch out today.

Reaction

These flaws are annoying, but given that, in the vast majority of cases, they have to be exploited within an internal network, Badlock is looking more like Sadlock. Giving it a name and a logo was supposed to raise awareness, however, it means the next proper big bug with a codename and badge may be taken less seriously than it should.

It's also not a particularly good look for SerNet, which appeared to be publicizing a Samba flaw as serious while touting, er, Samba enterprise support.

"I’m left wondering who at SerNet decided the Badlock marketing campaign was a good idea and why," said Michael Gorelik, R&D veep at infosec biz Morphisec.

"Microsoft gave the vulnerability a security ranking of 'important' but not critical. In fact, it would be extremely difficult for cybercriminals to exploit the Badlock vulnerability. The attacker would need to be already inside the network and past any security mechanisms. He must be in a place in which he can sniff and intercept the traffic and would need administrative credentials to access resources required for network interception from inside the network.

"So if this was to be used by anyone soon, it could only be by those that already reside in a very specific network and have remote access controls.

"SerNet’s hype of Badlock hurts honest efforts to make companies and their information systems more secure. The awkward announcement three weeks ago, and the following flurry of speculation, took attention away from dozens of truly severe vulnerabilities, all needing the attention of IT teams."

New Context veep Andrew Storms added: "My biggest piece of advice in the face of BadLock is stay calm and don’t chase the hype. For those affected by BadLock, now is a good time to ensure your patching process is as automated as possible.

"Those without an automated patching system in place should seriously consider implementing the mitigation actions as outlined by the Samba team. These configuration changes are good security practice regardless."

It was feared that the name Badlock referred to a locking mechanism in the open-source Samba code, thus giving hackers a three-week head start on finding the vulnerability before patches were distributed publicly. However, SerNet said the moniker is a "rather generic name and does not point to any specifics." As it turns out, Badlock had nothing to do with locking – instead, it involves connection hijacking.

"It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it," the Badlock website noted, adding the "main goal ... was to give a heads up."

"What branded bugs are able to achieve is best said with one word: awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs," SerNet added. Metzmacher, a Samba developer, was not available for immediate comment. ®