Weeks of anxiety and concern over the Badlock vulnerability ended today with an anticlimactic thud.
Badlock was the security boogeyman since the appearance three weeks ago of a website and logo branding the bug as something serious in Samba, an open source implementation of the server message block (SMB) protocol that provides file and print services for Windows clients.
As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.
SerNet, a German consultancy behind the discovery of Badlock, fueled the hype at the outset with a number of since-deleted tweets that said any marketing boost as a result of its branding and private disclosure of the bug to Microsoft was a bonus for its business.
For its part, Microsoft refused to join the hype machine and today in MS16-047 issued a security update it rated “Important” for the Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD). The bulletin patches one vulnerability (CVE-2016-0128), an elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels, Microsoft said. An attacker could then impersonate an authenticated user.
Samba, meanwhile, also patched its software in versions 4.2.10/4.2.11, 4.3.7/4.3.8, and 4.4.1/4.4.2. Older versions starting with the 4.1 release branch are end of life, Samba said, and will not be patched.
Badlock in Samba is CVE-2016-2118 and umbrellas seven vulnerabilities including man-in-the-middle attacks with NTLMSSP, issues with DCE-RPC code, NETLOGON spoofing, missing TLS certificate validation and more.
“There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user,” said an advisory published today on badlock.org.
The risks to a Samba Active Directory server including manipulation of secrets such as password hashes or service shutdown in an Active Directory database, or the modification of file or directory permissions. Sernet also warns that an attacker could use these vulnerabilities to remotely trigger a denial of service condition.
The bug, meanwhile, has not been publicly exploited according to Microsoft and SerNet, despite attackers having a three-week headstart.
“It may be possible since we already have several PoC (none of them will be released in the near future),” the badlock.org advisory said.
Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.
“Badlock is one more potentially dangerous exploit that was identified and addressed by the open source community before it caused significant damage to the broader connected world,” he said.
The Samba team said there are a number of mitigations that can be used until patches are applied, including DHCP snooping and ARP inspection to counter man-in-the-middle attacks, and firewall rules permitting connectivity only from trusted addresses could prevent denial-of-service attacks.
Badlock, meanwhile, threatens to take focus away from the remainder of today’s Microsoft security bulletins, six of which were rated critical by Microsoft.
“For many people, the Badlock hype was just that, a lot of hype,” said Andrew Storms, vice president of security services at New Context. “Security teams should patch immediately, but also put it in perspective with all of the patches that Microsoft released today. For example, patching a remote code execution bug in Internet Explorer may be more important to your organization than the over-hyped Badlock.”
Representatives of SerNet and Samba did not return requests for comment. The security community, however, in short order took to Twitter with a tidal wave of cynical reaction to the Badlock hype.
May I be the first to suggest nominating #badlock for a pwnie for most overhyped bug?
— David Litchfield (@dlitchfield) April 12, 2016
— Eric Conrad (@eric_conrad) April 12, 2016
"And the Internet yawned. The #Badlock story."
— Dave Lewis (@gattaca) April 12, 2016
I apologize to any followers I may have mislead by implying #badlock was a dangerous bug. I am also shocked by this development.
— Dave Maynor (@Dave_Maynor) April 12, 2016