Slashdot Mirror

← Back to Stories (view on slashdot.org)

Badlock Vulnerability Falls Flat Against Hype (threatpost.com)

Posted by BeauHD on from the caught-up-in-the-hype dept.

msm1267 quotes a report from Threatpost: Weeks of anxiety and concern over the Badlock vulnerability ended today with an anticlimactic thud. Badlock was the security boogeyman since the appearance three weeks ago of a website and logo branding the bug as something serious in Samba, an open source implementation of the server message block (SMB) protocol that provides file and print services for Windows clients. As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it's a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services. SerNet, a German consultancy behind the discovery of Badlock, fueled the hype at the outset with a number of since-deleted tweets that said any marketing boost as a result of its branding and private disclosure of the bug to Microsoft was a bonus for its business. For its part, Microsoft refused to join the hype machine and today in MS16-047 issued a security update it rated 'Important' for the Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD). The bulletin patches one vulnerability (CVE-2016-0128), an elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels, Microsoft said. An attacker could then impersonate an authenticated user.

21 comments

  1. Was it because if you're talking MS protocols... by xxxJonBoyxxx · · Score: 1

    Was the "lack of hype" because if you're talking Microsoft protocols to any particular machine it's already "game over" because you're probably already behind all their defenses?

  2. Red Hat has a different view - and it's not hype by darthcamaro · · Score: 3, Informative
    I don't know much about Windows and there there are 12 other advisories more impactful that Badlock this month - but Red Hat is and has taken the Linux related vulnerabilities *very* seriously - which is a good thing, it means no shellshocked/heartbleed repeat, patches on time and no real risk.

    "Working closely with the community over many months, Red Hat engineers have been heavily involved in the process of analyzing and developing Samba patches for Badlock-associated issues," Josh Bressers, security strategist at Red Hat sad.

  3. It's a relief I guess by The-Ixian · · Score: 3, Insightful

    I was anticipating the worst and so it's good that we can just continue with our normal patch cycle.

    Shame on SerNet for causing undue stress in Windows admins everywhere... jerks

    --
    My eyes reflect the stars and a smile lights up my face.
  4. Re:Was it because if you're talking MS protocols.. by Dutch+Gun · · Score: 1

    Unless I'm misunderstanding something here, the "thud" mean "who would open a SMB service to the internet anyway?" That's why some security people were confused why they were making such a big deal over a SMB vulnerability. Needs to be fixed, yes, but not a huge deal, since that's typically a service only exposed to your own intranet.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  5. Re:Red Hat has a different view - and it's not hyp by Anonymous Coward · · Score: 0

    Yeah - I guess the limit on this one, though, is that only a single application (samba) is affected in the Unix/Linux ecosystem, so it is a lot easier to fix this. Simply upgrade Samba to a supported version. And in the Windows world? Just keep on rolling through with WIndows Update.

    As Microsoft point out, vulnerabilities in web browsers are a bigger security threat for a typical installation (irrespective of OS).

  6. I don't even use Windows anymore dude =/ by Anonymous Coward · · Score: 0

    The worst cases are the Windows machines that are not suposed to run a server, but are kinda "kidnapped" during happy games using other sources of vulvas, I mean vulnerabilities.

  7. Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 0

    I heard about this a few weeks ago when it first hit the news. But since then I've been mistakenly calling it the "Bigcock" flaw, instead of "Badlock". I've been telling important people within the company that we need to dedicate some time to making sure our systems weren't vulnerable to the "Bigcock" bug. At least now I know why they were laughing at me. I'm sure going to have egg on my face tomorrow. Not only does this end up being minor, but I've been calling it "Bigcock" of all things for weeks now.

    1. Re:Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 1

      This is not a minor bug. Exploiting this bug allows you to impersonate the domain administrator. That then allows you to extract all passwords for all users in the domain.

    2. Re:Shit, I've been calling it "Bigcock" for weeks. by Gumbercules!! · · Score: 1

      How? Domain admins cannot extract users' passwords. The encryption isn't reversible (by default, unless you foolishly tell it you want it to be). Potentially as a domain admin you could disable password lockouts and try massive brute force attacks but surely someone else would notice the billions of failed logins in the logs?

      No matter which way you cut it, you need to be inside the domain, already, to start exploiting this. If you're already in the domain, then the victim already has problems. Not saying this isn't real - but it's just another headache for the victim, not the original attack vector.

    3. Re:Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 1

      You can not extract the users plaintext passwords. But you can most definitely extract the kerberos secrets for the users which is just as good as the plaintext passwords themselves.

      ktexport.exe for example.
      See here for more tools to dump the secrets for all users from DC/ADS. You have to be domain admin though.

      Samba also has their own tools to dump all the secrets to a keytab so that it can be imported into wireshark.
      It is VERY useful to be able to decrypt kerberos protected DCE/RPC traffic when debugging or testing.

      (I wrote the kerberos decryption code for wireshark.)

    4. Re:Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 0

      ooops see here should be followed by a link :

      https://wiki.wireshark.org/Kerberos

    5. Re:Shit, I've been calling it "Bigcock" for weeks. by Gumbercules!! · · Score: 1

      Nice, thanks.

    6. Re:Shit, I've been calling it "Bigcock" for weeks. by awkScooby · · Score: 1

      Read up on Golden Ticket and Pass-the-Hash. It works. Been there, done that.

  8. Re:Was it because if you're talking MS protocols.. by Jeremy+Allison+-+Sam · · Score: 5, Informative

    It's not an SMB protocol bug. It's a generic flaw in the DCE RPC protocol used for all RPC services on Windows and specifically to administer Active Directory Domain Controllers. That's why we really want people to patch (both Samba *and* Windows users).

  9. Re: Shit, I've been calling it "Bigcock" for weeks by Anonymous Coward · · Score: 0

    It won't be egg.

  10. Re:Red Hat has a different view - and it's not hyp by Anonymous Coward · · Score: 0

    How serious is *very* serious? To me it seems RH is simply doing its job. Which is good, but not exceptional.

  11. Lateral Movement by Anonymous Coward · · Score: 0

    The problem with this vulnerability is that it provides yet another mechanism for lateral movement within a compromised network. See, e.g., Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention.

    Just thinking this isn't a problem because "no one exposes SMB ports" is missing the point. This can be very bad. Think about what happened to Sony -- hackers got in, moved data around, and spent their time, using various exploits. This is one that could be very helpful in such an attack.

  12. How Badlock Was Discovered and Fixed by Jeremy+Allison+-+Sam · · Score: 1

    Fantastic article from Alexander Bokovoy on
    how this thing was found and fixed !

    http://rhelblog.redhat.com/201...