Badlock Bug

Update 13/04/2016

The folks at badlock.org provide more details on the bug details found in the SMB protocol. The basic advice still counts : apply the patches provided by your vendor as soon as possible.

Badlock for Samba (primarily Linux) is referenced by CVE-2016-2118 and for Windows by CVE-2016-0128 / MS16-047.

Introduction

On April 12th, 2016, a crucial security vulnerability in Windows and Samba will be disclosed.

At this point the scope and full impact of the vulnerability is not known but it is probably a design flaw in the SMB protocol.

Description

It is assumed that the bug is to be found in a file or resource locking mechanism within the SMB implementation and might lead to a remote code execution flaw.

The SMB protocol is primarily used for file- and printsharing on internal networks.

Who is affected?

The vulnerability will affect most operating systems supporting SMB :

  • Windows;
  • Linux / Unix;
  • OSX;
  • BSD-systems;
  • Possibly appliances that provide datastorage.

Possible vulnerable clients supporting SMB (which includes most systems) might also be affected if they get tricked into connecting to a vulnerable -outside their network- SMB server.

In conclusion this means almost every system is affected.

Impact

Because details of this vulnerability are not yet known, it is impossible to predict the exact impact. Based on the available information this vulnerability might lead to the remote execution of arbitrary code. In essence this means that exploitation of this vulnerability might allow an attacker to conduct code at will on the targetted system, which could potentially lead to

  • data leakage;
  • credential theft;
  • denial of service of a system;
  • attack vectors against other systems.

A possible mitigation factor might be the fact that the SMB protocol should only be available on internal networks. This means that an attack could be limited to a "local" attack. Do take into account though that, when combined with other attack vectors an outside attacker might still be able to abuse this weakness.

What should I do?

Firstly : monitor the website of the Badlock Bug [1] very closely for future updates. Full details will be announced on 12 April 2016.

Secondly : get prepared. You can get yourself prepared by

  • Inventorize all the SMB servers that you have on your network. This might be a good time to scan your network for un-inventorized SMB systems. Do not limit the inventory only to the "normal" servers providing SMB services (Windows, Linux, OSX) but also take into account appliances offering SMB (for example NAS systems);
  • Review your patch management procedures and get prepared to deploy a large set of patches;
  • Monitor the announcements from your suppliers (Windows Update, Linux advisories, ...);
  • Verify that you have firewall filters for inbound and outbound SMB, possibly start already with logging the SMB requests on your perimeters. This logging can help with inventorizing;
  • Deploy network ACLs on the SMB servers.

There is no need for panic, getting prepared and having good patch management procedures can help you.

External resources

  1. http://badlock.org/
  2. https://isc.sans.edu/forums/diary/Getting+Ready+for+Badlock/20877/
  3. http://www.theregister.co.uk/2016/03/22/badlock_bug/
  4. https://nakedsecurity.sophos.com/2016/03/24/badlock-critical-vulnerabili...

Version

  • v2 : 13/04/2016 : Update, release of bug details
  • v1 : 29/03/2016 : Initial release