Getting Ahead of Badlock

Blog Post created by todb Employee on Mar 29, 2016

badlock-tay-selly.jpgWhile we are keeping abreast of the news about the foretold Badlock vulnerability, we don't know much more than anyone else right now. We're currently speculating that the issue has to do with the fundamentals of the SMB/CIFS protocol, since the vulnerability is reported to be present in both Microsoft's and Samba's implementations. Beyond that, we're expecting the details from Microsoft as part of their regularly scheduled patch Tuesday.


How Bad Is It?

Microsoft and the Samba project both clearly believe this is a more critical than usual problem, but in the end, it's almost certainly limited to SMB/CIFS, much like MS08-067 was. This comparison should be alternatively comforting and troubling. While the SMB world isn't the same as it was in late 2008, MS08-067 continues to be a solid, bread and butter vulnerability exploited by internal penetration testers. We are very concerned about the population of chronically unpatched SMB/CIFS servers that lurk in the dusty corners of nearly every major IT enterprise.


What Can I Do Now?

Any large organization with a significant install base of Windows servers should take this time clearing patch and reboot schedules for production SMB/CIFS servers using their usual Patch Tuesday change control processes. Assuming it's even remotely as bad as the discoverers are making it out to be, this is the patch you want to release into production pretty much as fast as your change control processes allow. Therefore, given the high visibility of this particular issue, it would be wise to treat it as a mostly predictable emergency.


In the event you feel like you're set up for a rapid patch deployment, this is also a pretty great time to conduct an assessment of both your intentional and accidental SMB/CIFS footprint. While Windows machines today ship with an operating system-level firewall by default, all too often, users will "temporarily" disable these protections in order to get some specific file sharing task done, and there's really nothing more permanent in an IT environment than a temporary workaround.


In short, our advice is take advantage of the hype around this bug, and buy some time from your management to get some legwork done in advance of next Patch Tuesday. You might be surprised with what you find, but it's better to discover those rogue SMB/CIFS endpoints now, in a measured way, than during a panic-fueled crisis. And if you haven't exercised your emergency patch procedures in a while, well, now you have every excuse you could ask for, short of an actual, unplanned emergency.