SerNet, a German company, launched the http://badlock.org/ and warned us in the late March that security updates for this critical vulnerability will be rolled out on April 12. Badlock, a serious vulnerability, they said, and would soon be exploited.
So, what is it all about and what should you do?
Badlock is referenced for Microsoft Windows by CVE-2016-0128 / MS16-047 (Windows SAM and LSAD Downgrade Vulnerability) and for Samba by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible).
It is an elevation of privilege vulnerability. Using this vulnerability, a man-in-the-middle attacker is able to intercept communications between a client and a server hosting a SAM database and can exploit this to force the authentication level to downgrade, allowing the attacker to impersonate an authenticated user and access the SAM database. Badlock.org also claims that it facilitates Denial-of-Services (DoS) on services running Samba services.
Badlock vulnerability has been categorized ‘Medium’ by the National Vulnerability Database, which means that it is important but not as much as hyped. It can help with man-in-the-middle attacks. However, exploitation is difficult. The attacker must already have a position of advantage to cause serious harm. Additionally, there are other historical Windows weaknesses like MS08-067 that offer straightforward remote code execution (RCE) unlike Badlock.
Microsoft released security patches every Tuesday and this time they have rolled an update for security Update for SAM and LSAD Remote Protocols along with other issues. It it has been rated ‘Important’’.
Meanwhile, Samba has a more detailed summary on the issue.
As communicated to Indusface customers, Indusface Web Application Scanning will detect and report the Badlock vulnerability. And Indusface Web Application Firewall protects your front-end web applications and is not vulnerable to Badlock.
You should also update the security patch immediately. Like we always say, security patches are not to be missed no matter what the criticality of the vulnerability is.
For Microsoft Windows: Please visit https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx for security updates rolled out this week. This also includes a patch for Badlock under Security Update for SAM and LSAD Remote Protocols title.
For Samba: Samba has already patched the following versions:
Look for them at https://www.samba.org/samba/history/security.html
Note: Even if you think that you do not offer CIFS/SMB, there are always unintentional ways of falling for the vulnerability.
Hundreds of vulnerabilities are uncovered every week and it is difficult to keep a track on all of them, especially when your business priorities are more critical. Indusface Total Application Security acts as your extended security arm to keep a track of these vulnerabilities and breaking them down by criticality for you.
Whenever there is a new threat, we assess it and notify our customers with security experts’ advice on how should they ensure safety of their applications and business from hackers.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.