The much anticipated release of the patch fixing the highly rated Badlock Bug in Windows and Samba, has been released by Samba.org, but for all the hype industry watchers say the problem was not that bad.
The patch is for Samba versions 4.4.2, 4.3.8 and 4.2.11 and was created after several months of work by engineers at Microsoft and Samba, according to a statement posted on Badlock.org. The primary problem addressed by the update, reference number CVE-2016-2118, is it will secure systems against man-in-the-middle (MiTM) and denial of service (DoS) attacks.
“There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user,” badlock.org wrote.
The DoS attacks could be conducted by an attacker with remote network connectivity to the Samba service.
Samba is the standard Windows interoperability suite of programs for Linux and Unix.
Despite the preceding hype, Microsoft did not rate its Badlock Bug fix as critical, said Qualys CTO Wolfgang Kandek in his blog.
"But Badlock seems to be tamer than expected – it is addressed by Microsoft in MS16-047, a bulletin categorized as “important”. It is a Man-in-the-Middle type vulnerability and can be used to login as another user for applications that use the SAMR or LSAD protocol – the SMB protocol is not affected. All versions of Windows are affected – Vista to Server 2012R2. We are not sure where to rank it, but it certainly does not have our top spot," Kandek wrote.
"While I do recommend you roll out the patches as soon as possible - as I generally do for everything - I don't think Badlock is the 'Bug To End All Bugs'. In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage," said Tod Beardsley, Rapid7 security researcher manager.
Regardless of the rating industry execs see these type of threats as increasing and reiterated the importance of keeping systems up to date.
“Branded threats like Badlock and Heartbleed are on the rise. It is critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritize it against other threats and fix it – fast – before the organization suffers a breach to its system,” Bill Berutti, president, performance & availability and cloud management/data center automation at BMC told SCMagazine.com in an email Tuesday.
There are also several other issues fixed with this update.
- CVE-2015-5370 (Multiple errors in DCE-RPC code)
- CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
- CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
- CVE-2016-2112 (LDAP client and server don't enforce integrity)
- CVE-2016-2113 (Missing TLS certificate validation)
- CVE-2016-2114 ("server signing = mandatory" not enforced)
- CVE-2016-2115 (SMB IPC traffic is not integrity protected)
The problem was given a score of 7.1, or high, on the Common Vulnerability Scoring System. It is not known if the vulnerability has been exploited in the wild, but researchers were able to create a proof of concept for the problem.Update includes commentary from Qualys CTO Wolfgang Kandek and Tod Beardsley Rapid7 security researcher manager.