Badlock: Combatting the New Samba Vulnerability

New vulnerability could expose companies to man-in-the-middle attacks.

On April 12, 2016, Badlock, a security bug in Windows and Samba was disclosed. It was discovered by Stefan Metzmacher, a member of the international Samba Core Team.

The SMB protocol was originally developed by Microsoft to enable various resource sharing and authentication features on local networks. For example, one use of the protocol is to allow several computers to share printers.

Samba is an open-source implementation of this protocol. With Samba, a Linux server can provide services and shared resources that both Linux and Windows computers can utilize.

Because both Microsoft’s and Samba’s protocol implementations are based on a common protocol conception, flaws in the underlying protocol will result in vulnerabilities in all implementation.

This is the case then disclosed a collection of vulnerabilities: Badlock.

What is Badlock?

‍The researchers who worked on identifying these problems decided to give the collection of issues the name Badlock in order to promote awareness about these problems.

Badlock can be categorized as a man-in-the-middle attack or a denial of services attack.

• Man-in-the-middle attacks: These attacks intercept and modify user permissions on files or directories. This attack could intercept DCE/RPC traffic between domain member and domain controller to impersonate the client and gain credentials.
• Denial of service attacks: These are attacks to make a machine or network unavailable to its intended users. Samba services are vulnerable to denial of service from an attacker with remote access connection to the Samba service.

This vulnerability involves flaws in the coding and security protocol of the Samba application, potentially exposing these active directories that contain password data and other credentials. Hackers can gain access to the directories and get a lot of information about companies.

As a result, Badlock could potentially leave companies open to many types of cyber attacks, letting hackers get access to sensitive data.

Who is Vulnerable?

Many, if not most, versions of Windows and Linux operations systems may be vulnerable to Badlock.

The following Samba Applications running on Linux/Unix systems are vulnerable:

• 3.6x
• 4.0.x
• 4.1.x
• 4.2.0-4.2.9
• 4.3.0-4.3.6
• 4.4.0

The following supported editions of Windows are vulnerable:

• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8.1
• Windows Server 2012
• Windows Server 2012 R2
• Windows RT 8.1
• Windows 10

To put it simply, any Samba server as a domain member is vulnerable to this flaw. Practically every version of Windows and Linux operations systems has this defect in the security component.

See also: Incident Response Plan White Paper

What can you do?

Since this vulnerability has been discovered, security patches have been developed that will secure Badlock.

See also: Security Patches in Your Business: Complying with PCI Requirement 6.1

For a Samba service running on Linux/Unix systems, apply the patches provided by the Team and SerNet for Enterprise SAMBA/SAMBA+ immediately.

For Windows users, refer to Microsoft for patch details.

According to the current security industry, there’s no immediate need to panic. There were some fundamental problems identified with the protocol and its implementation, but so far, the risks at present are not rated very high. Mounting an attack is also fairly difficult since the attacker has to already have access to the network.

That being said, it’s recommended you take action quickly, should you be vulnerable.

Need help with data security? Talk with one of our consulting experts!