Slashdot Mirror

← Back to Stories (view on slashdot.org)

Badlock Vulnerability Falls Flat Against Hype (threatpost.com)

Posted by BeauHD on from the caught-up-in-the-hype dept.

msm1267 quotes a report from Threatpost: Weeks of anxiety and concern over the Badlock vulnerability ended today with an anticlimactic thud. Badlock was the security boogeyman since the appearance three weeks ago of a website and logo branding the bug as something serious in Samba, an open source implementation of the server message block (SMB) protocol that provides file and print services for Windows clients. As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it's a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services. SerNet, a German consultancy behind the discovery of Badlock, fueled the hype at the outset with a number of since-deleted tweets that said any marketing boost as a result of its branding and private disclosure of the bug to Microsoft was a bonus for its business. For its part, Microsoft refused to join the hype machine and today in MS16-047 issued a security update it rated 'Important' for the Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD). The bulletin patches one vulnerability (CVE-2016-0128), an elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels, Microsoft said. An attacker could then impersonate an authenticated user.

11 of 21 comments (clear)

  1. Was it because if you're talking MS protocols... by xxxJonBoyxxx · · Score: 1

    Was the "lack of hype" because if you're talking Microsoft protocols to any particular machine it's already "game over" because you're probably already behind all their defenses?

  2. Red Hat has a different view - and it's not hype by darthcamaro · · Score: 3, Informative
    I don't know much about Windows and there there are 12 other advisories more impactful that Badlock this month - but Red Hat is and has taken the Linux related vulnerabilities *very* seriously - which is a good thing, it means no shellshocked/heartbleed repeat, patches on time and no real risk.

    "Working closely with the community over many months, Red Hat engineers have been heavily involved in the process of analyzing and developing Samba patches for Badlock-associated issues," Josh Bressers, security strategist at Red Hat sad.

  3. It's a relief I guess by The-Ixian · · Score: 3, Insightful

    I was anticipating the worst and so it's good that we can just continue with our normal patch cycle.

    Shame on SerNet for causing undue stress in Windows admins everywhere... jerks

    --
    My eyes reflect the stars and a smile lights up my face.
  4. Re:Was it because if you're talking MS protocols.. by Dutch+Gun · · Score: 1

    Unless I'm misunderstanding something here, the "thud" mean "who would open a SMB service to the internet anyway?" That's why some security people were confused why they were making such a big deal over a SMB vulnerability. Needs to be fixed, yes, but not a huge deal, since that's typically a service only exposed to your own intranet.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  5. Re:Was it because if you're talking MS protocols.. by Jeremy+Allison+-+Sam · · Score: 5, Informative

    It's not an SMB protocol bug. It's a generic flaw in the DCE RPC protocol used for all RPC services on Windows and specifically to administer Active Directory Domain Controllers. That's why we really want people to patch (both Samba *and* Windows users).

  6. Re:Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 1

    This is not a minor bug. Exploiting this bug allows you to impersonate the domain administrator. That then allows you to extract all passwords for all users in the domain.

  7. Re:Shit, I've been calling it "Bigcock" for weeks. by Gumbercules!! · · Score: 1

    How? Domain admins cannot extract users' passwords. The encryption isn't reversible (by default, unless you foolishly tell it you want it to be). Potentially as a domain admin you could disable password lockouts and try massive brute force attacks but surely someone else would notice the billions of failed logins in the logs?

    No matter which way you cut it, you need to be inside the domain, already, to start exploiting this. If you're already in the domain, then the victim already has problems. Not saying this isn't real - but it's just another headache for the victim, not the original attack vector.

  8. Re:Shit, I've been calling it "Bigcock" for weeks. by Anonymous Coward · · Score: 1

    You can not extract the users plaintext passwords. But you can most definitely extract the kerberos secrets for the users which is just as good as the plaintext passwords themselves.

    ktexport.exe for example.
    See here for more tools to dump the secrets for all users from DC/ADS. You have to be domain admin though.

    Samba also has their own tools to dump all the secrets to a keytab so that it can be imported into wireshark.
    It is VERY useful to be able to decrypt kerberos protected DCE/RPC traffic when debugging or testing.

    (I wrote the kerberos decryption code for wireshark.)

  9. Re:Shit, I've been calling it "Bigcock" for weeks. by Gumbercules!! · · Score: 1

    Nice, thanks.

  10. Re:Shit, I've been calling it "Bigcock" for weeks. by awkScooby · · Score: 1

    Read up on Golden Ticket and Pass-the-Hash. It works. Been there, done that.

  11. How Badlock Was Discovered and Fixed by Jeremy+Allison+-+Sam · · Score: 1

    Fantastic article from Alexander Bokovoy on
    how this thing was found and fixed !

    http://rhelblog.redhat.com/201...