Badlock

From Infogalactic: the planetary knowledge core
Jump to: navigation, search
File:Badlock.svg
Logo representing Badlock. SerNet SerNet took a similar approach to Heartbleed and gave this bug a name and a logo.

Badlock is a security bug in both Microsoft Windows and Samba that was disclosed in April 2016. It is a Man In The Middle attack that downgrades security when certain DCERPC services are used and can access sensitive information on servers. This vulnerability affected all supported versions of Windows and Samba.

While the CVEs associated with this bug were CVE-2016-2018 for Samba (software) and CVE-2016-0128 for Windows there was an additional list of CVEs associated with Samba.

It is thought that other SMB implementations that also implement the affected DCERPC services are also affected by the bug.

Badlock is perhaps the first security bug to affect two very different software environments because of their implementation of a common protocol.

History

Badlock was discovered as a result of Codenomicon's fuzzer being applied to both Windows and Samba during a Microsoft IOLab Event in June 2015[1]. The immediate issue that it uncovered was CVE-2015-5370 but in the process of fixing that bug, Samba Team members Stefan Metzemacher and Jeremy Allison investigated whether other downgrade attacks were possible and whether they could target implementations other than Samba. This lead to the finding that both Windows and Samba were vulnerable to the Badlock bug. An exploit was written.

The fixes to Samba for the Badlock bug amounted to hundreds of patches and were released on 12-Apr-2016. In additon, backports were released for Samba 4.4, 4.3 and 4.2. There are also patches available for versions going back to 3.6.

Microsoft also released updated versions of Windows to remove the Badlock vulnerability on the same day.

Behavior

To exploit the Badlock bug an attacker operates as a man in the middle after somehow registering as an RPC service provider admins might be interested in and downgrades any security asked for by clients to simple connect security. Because the affected RPC packages did not verify that they were being called over secure channels, this worked.

The attacker then has a channel over which to retrieve the contents of the SAM or other information that would not normally be available to an unprivileged account.

Impact

An attacker can obtain sensitive information from any RPC service that does not enforce signing, including the contents of the SAM (which includes passwords.)

Remediation

Microsoft released fixes[2] for it's supported operating systems on Patch Tuesday, 12-Apr-2016.

The Samba Team released Samba versions 4.4.2, 4.3.8, 4.2.11 to fix these problems on 12-Apr-2016. However, regressions were introduced and further releases were required.

References

  1. Lua error in package.lua at line 80: module 'strict' not found.
  2. Lua error in package.lua at line 80: module 'strict' not found.

External links

Retrieved from "https://infogalactic.com/w/index.php?title=Badlock&oldid=5555689"