Overview
The Badlock vulnerability is a chain of flaws with the Server Message Block (SMB) protocol used by Windows and the Linux/Unix application Samba for network file sharing. The vulnerability can be leveraged by remote attackers to perform a Denial-of-Service (DoS) attack against publicly exposed SMB services.
It can also be used by attackers performing Man-in-the-Middle (MitM) attacks against legitimate users to execute arbitrary SMB commands in the context of the user being intercepted. This could be used by an attacker with an existing foothold in a network to gain full access to a company domain if they are intercepting the traffic of an administrator.
Is my organization vulnerable?
The SMB protocol is not typically exposed to the internet, limiting the effectiveness of DoS portion of the attack to those already within the network. We strongly recommend not publicly exposing the SMB protocol even without this recent disclosure.
The risk to the organization where an attacker is already performing a MitM attack is much higher, if the attacker is suitably positioned to be able to control traffic between domain administrators and domain controller servers, the attacker could gain control of the domain. However, if an attacker is already controlling traffic between administrators and the network, the security of the network is likely already severely compromised.
The affected software versions are extremely broad, all currently supported versions of Windows have patches available, from Windows Vista to Windows 10, earlier versions may also be vulnerable but will not receive any patches.
With Samba, the following versions are confirmed to be affected, with earlier versions possibly affected but not tested. Only the 4.2, 4.3 and 4.4 branches of Samba will receive official patches, however other vendors may backport the patches to earlier versions.
- 3.6.x,
- 4.0.x,
- 4.1.x,
- 4.2.0-4.2.9,
- 4.3.0-4.3.6,
- 4.4.0
SureCloud platform scanning
A detection method using SureCloud Vulnerability Manager is expected to be ready in the next couple of days. We also recommend performing a standard scan of the network perimeter and ensuring SMB services are not unexpectedly exposed.
Remediation
Update Samba or Windows to their latest supported versions, we also recommend ensuring there are no SMB services exposed to the internet. Additionally, to reduce the chance of an internal MitM attack successfully gaining access to administrator resources, consider implementing VLANs or otherwise segregating the network.
References
- https://badlock.org/
- https://www.samba.org/samba/latest_news.html#4.4.2
- https://technet.microsoft.com/library/security/MS16-047