Engineers at Microsoft and Samba have issued security fixes for the Badlock bug.
A website dedicated to the flaw describes Badlock (CVE-2016-2118) as a security vulnerability that affects Windows and Samba versions 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0.
“On April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed,” the website explains. “Please update your systems. We are pretty sure that there will be exploits soon.”
Attackers can leverage the vulnerability, which received a 7.1 base CVSS score and 6.4 temporal CVSS score, to perform man-in-the-middle (MitM) attacks against protocols used by Samba, allowing a malicious actor to execute arbitrary Samba network calls using the context of the intercepted user.
The flaw also allows an attacker with remote network connectivity to Samba to conduct denial of service (DoS) attacks against Samba services.
“If BadLock is successfully exploited, the attacker would be able to impersonate other users and subsequently may be able to retrieve password hashes, shutdown services, expose secrets from AD, manipulate file attributes, and gain access to protected files,” explains Tripwire Senior Security Researcher Craig Young.
Young added that while this particular bug may not seem as severe as a remote code execution (RCE) vulnerability, the fact that an attacker on the local network can likely exploit it through well-known techniques, such as ARP spoofing, makes it a critical vulnerability.
Those with affected versions of Samba can fix their systems by implementing the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+.
Sysadmins might also choose to put additional MitM and DoS mitigations in place after patching is complete.
Badlock was first unveiled to the security community back in the middle of March 2016. It was discovered by Stefan Metzmacher, a member of the international Samba Core Team who works at SerNet on Samba. He reported the bug to Microsoft, and worked with the Redmond-based company to fix the problem.
Industry experts spent several weeks discussing what systems the bug might affect, speculation which many believe helped create an atmosphere of hype and FUD around Badlock.
Those responsible for disclosing the bug feel there is some utility to announcing a vulnerability weeks in advance and giving it its own website and logo.
“What branded bugs are able to achieve is best said with one word: Awareness,” they observe. “Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs. It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.”
Many on Twitter disagree, though some feel Badlock could teach the security community a positive lesson going forward.
Let's all learn from this and find ways to better present vulnerabilities like this in the future. #badlock #worktogether
— Ron Stoner (@forwardsecrecy) April 12, 2016
For more information on this vulnerability, please see the Badlock website here.