Despite the Badlock hype machine cranked up high, we don’t know much about this impending soul-crushing vulnerability other than it could be bad, it could be in the Windows Server Message Block and it already has its own requisite logo and website.
Nonetheless, we have a little more than two weeks before the next Microsoft Patch Tuesday on April 12 to speculate, guess and fear what might come first: the patch or a public exploit.
Stefan Metzmacher, a member of the Samba team and an employee with German consultancy SerNet, is credited with finding the bug and said both Samba and Windows will be patched. He said deductive reasoning leads us to consider that the bug might be in Server Message Block (SMB). Samba is an open source SMB implementation.
Bug hunters, good and bad, are surely on the case and some have already found what could be a juicy clue in one of Metzmacher’s commits to git.samba.org. Metzmacher is the author of the lock.c file in Samba—it handles SMB2 client lock handling—and within a particular commit he includes a comment: ” /* this is quite bizarre – the spec says we must lie about the length! */”
There’s no confirmation this is the bug, but one researcher told Threatpost that the comment indicates that there are places in the protocol where the size of a string would be misrepresented. This could lead to serious errors because a developer could use the size to allocate space in a buffer, which is fine if the number is accurate. But if the length is a “lie” as Metzmacher says, and you copy more bytes than there is room allocated, you have a buffer overrun and code execution.
Whether this is enough information there for an exploit writer to craft something nasty in the next two weeks remains to be seen. One thing is for certain, however: defenders will sway in the wind for the next 15 days.
“A skilled exploit writer may have enough information to write an exploit based on this information. On the other hand, as a defender, I am missing some details,” said Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. “For example, it would be nice to know if this affects servers only, or clients as well. Which network ports and which SMB version are affected? These are things that would help defenders, but they are missing from the advisory.”
The Badlock website isn’t helpful on details either, other than to say that patches will be available for Samba 4.4, 4.3 and 4.2; it cautions that since Samba 4.4.0 was released March 22, Samba 4.1 will no longer be supported.
The SANS website, meanwhile, cautions that UNIX administrators need to pay attention to the details once they’re made public, and suggest scanning environments for servers with SMB enabled; it’s expected that UNIX implementations would also patch on or around the April 12.
In the meantime, the situation has also stirred up a healthy debate over whether big bugs are being trivialized, not only by self-serving advanced notification, but also by websites and branding with logos.
From Badlock.org:
“The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.
Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.”
Microsoft has chosen not to add anything to the discussion; a representative told Threatpost: “Unfortunately, Microsoft doesn’t have anything to share.” Sernet CEO Johannes Loxen refused to comment further in an email to Threatpost beyond what is on the badlock.org side. Loxen did concede in a tweet that the advanced notification on the bug is self-serving in terms of marketing and attention toward his company. The tweets have since been deleted.
Dan Kaminsky, whose 2008 DNS vulnerability and patch coordination is largely considered the first of its kind, was critical of the hype. He told Wired that this type of disclosure isn’t helpful to admins. “What’s the call to action other than to pay attention?”
Andrew Storms, vice president of security services at New Context, recalled the angst for some around Microsoft’s decision of last January to discontinue Patch Tuesday advanced notification and limit it only to paying Premier customers.
“I’ve always been a proponent of the advanced notification. And I was one of the people upset when Microsoft closed up ANS. That few days of heads up gives managers a chance to prep resources,” Storms said. “Whether that’s people or servers or test systems, I’ve always contended that some heads up is better than the big surprise disruption.”
SANS’ Ullrich said advanced notification allows for preparation in areas such as inventories of vulnerable systems, counter measures and configuration options, all of which speed up patching.
“‘Branded’ vulnerabilities are likely patched faster and more organizations will patch them given the attention paid to them (it would be nice to collect some hard numbers on this, but I haven’t seen any studies to that effect yet),” Ullrich said. “On the other hand, ‘branded’ vulnerabilities should be reserved for the most severe vulnerabilities. In that way, we will have to see if this vulnerability does meet that threshold.”