On Badlock for Samba (CVE-2016-2118) and Windows (CVE-2016-0128)

Last updated at Thu, 31 Aug 2017 13:55:47 GMT

Today is Badlock Day

You may recall that the folks over at badlock.org stated about 20 days ago that April 12 would see patches for "Badlock," a serious vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and any server running Samba, an open source workalike for SMB/CIFS services. We talked about it back in our Getting Ahead of Badlock post, and hopefully, IT administrators have taken advantage of the pre-release warning to clear their schedules for today's patching activities.

For Microsoft shops, this should have been straightforward, since today is also Microsoft Patch Tuesday. Applying critical Microsoft patches is, after all, a pretty predictable event.

For administrators of servers that run other operating systems that also happen to offer Samba, we've all had a rough couple years of (usually) coordinated disclosures and updates around core system libraries, so this event can piggyback on those established procedures.

How worried should I be?

While we do recommend you roll out the patches as soon as possible - as we generally do for everything - we don't think Badlock is the Bug To End All Bugs[TM]. In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage.

Badlock describes a Man-in-the-Middle (MitM) vulnerability affecting both Samba's implementation of SMB/CIFS (as CVE-2016-2118) and Microsoft's (as CVE-2016-0128). This is NOT a straightforward remote code execution (RCE) vulnerability, so it is unlike MS08-067 or any of the historical RCE issues against SMB/CIFS. More details about Badlock and the related issues can be found over at badlock.org.

The most likely attack scenario is an internal user who is in the position of intercepting and modifying network traffic in transit to gain privileges equivalent to the intercepted user. While some SMB/CIFS servers exist on the Internet, this is generally considered poor practice, and should be avoided anyway.

What's next?

For Samba administrators, the easy advice is to just patch up now. If you're absolutely sure you're not offering CIFS/SMB over the Internet with Samba, check again. Unintentionally exposed services are the bane of IT security after all, with the porous nature of network perimeters.

While you're checking, go ahead and patch, since both private and public exploits will surface eventually. You can bet that exploit developers around the world are poring over the Samba patches now. In fact, you can track public progress over at the Metasploit Pull Request queue, but please keep your comments technically relevant and helpful if you care to pitch in.

For Microsoft Windows administrators, Badlock is apparently fixed in MS16-047. While Microsoft merely rates this as "Important," there are plenty of other critically rated issues released today, so IT organizations are advised to use their already-negotiated change windows to test and apply this latest round of patches.

Rapid7 will be publishing both Metasploit exploits and Nexpose checks just as soon as we can, and this post will be updated when those are available. These should help IT security practitioners to identify their organizations' threat exposure on both systems that are routinely kept up to date, as well as those systems that are IT's responsibility but are, for whatever reason, outside of IT's direct control.

Are any Rapid7 products affected?

No Rapid7 products are affected by this vulnerability.