News about Badlock vulnerability affecting Windows computers and Samba servers started showing up on Twitter and media around three weeks ago. The site badlock[.]org was registered on March 11 according to WHOIS. There has been a lot of guessing and speculation around this vulnerability. It’s time for reality check: just how bad actually is Badlock?
Named vulnerabilities have resulted in being clichéd very quickly. Being a named vulnerability doesn’t qualify it as a serious widespread vulnerability. Badlock is somewhere in between. In this entry, we demystify the hype of Badlock with questions that measure it as a vulnerability. We also pin it up against a noteworthy case to see how it compares.
Badlock is referenced by following identifiers:
Is the possible attack surface widespread?
Yes. All Windows computers (including Windows 2003, Windows 2000, and Windows XP) and Samba servers are affected. But it’s not a trivial vulnerability to exploit, as we’ll explain later.
Is the vulnerability being exploited in the wild?
Microsoft’s advisory and Badlock website clarify that there are no reports of the vulnerability being exploited in the wild. It was privately reported to Microsoft. But badlock[.]org warns “We are pretty sure that there will be exploits soon.”
How severe is the vulnerability? Is it easy to exploit?
Of several speculations about Badlock, one of them was that it’s close to MS08-067, (a vulnerability exploited by the Conficker/DOWNAD worm). Take note that because of MS08-067, Conficker/DOWNAD could infect an entire network through a single machine and has plagued millions of Windows computers and servers.
Badlock is definitely not close to MS08-067. MS08-067 was rated Critical on all Windows versions whereas Badlock is rated as Important by Microsoft. The CVSS score for Badlock being 7.1 whereas CVSS score for CVE-2008-4250 (MS08-067) was 10.0, the highest that a vulnerability can get. Again, as per Microsoft’s exploitability index the exploitability index for Badlock is 3 whereas exploitability index for CVE-2008-4250 is 1. Exploitability index of 3 means that’s that exploitation is unlikely for this vulnerability.
|Vulnerability type||Remote Code Execution||Elevation of Privilege|
|Microsoft's Severity Rating||Critical (on all Windows platforms)||Important (on all supported Windows platform)|
|Microsoft's Exploitability Index||1||3|
|CVSS Score||10.0 (CVSS 2.0)||Base 7.1 Temporal: 6.4(CVSS 3.0)|
A key factor in the exploitation of this vulnerability is the need for the attacker to carry out a man-in-the-middle (MitM) attack first. This means the attacker has to be reasonably knowledgeable of the target network. It’s not as simple as downloading exploitation tools off the internet and firing away an exploit.
Also, note that after a successful attack, the attacker would gain elevation of privilege. With these elevated privileges, the attacker could gain access to SAM database which can be used to brute force the passwords from hashes.
Comparing this to MS08-067, an attacker exploiting this vulnerability could take control of an infected system remotely. The attacker could exploit this vulnerability over RPC without authentication and could run arbitrary code.
What exactly is the Badlock vulnerability, now that we know it’s not as severe as MS08-067?
Now that we know that Badlock is not as severe as MS08-067, we take a closer look at the said vulnerability. CVE-2016-0128/CVE-2016-2118 is an Elevation of Privilege vulnerability. As per Microsoft Bulletin, the vulnerability is “caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel.” The vulnerability is in the way SAMR protocol handles authentication levels.
As per Samba advisory “A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.”
So, the attacker must have the ability to intercept the network traffic first to be able to carry out MitM attack. Eventually, the attacker will be able to gain read, write access to SAM database and access password hashes. Using these credentials an attacker can impersonate another user.
We highly recommend that patches be applied as soon as possible or security solutions protecting against Badlock be applied.
How can I protect the Endpoint computers including End of support versions of Windows and Samba from this vulnerability?
Trend Micro Deep Security protects customers running end-of-support (EOS) versions of Windows. Details on EOS platforms support can be found here. Even unsupported versions of Samba (version 4.1 and before) are protected by Deep Security. The rules will be automatically assigned by the Recommendation Scan Feature and protection can be deployed easily, automatically.
Trend Micro Deep Security, Vulnerability Protection, Tipping Point customers are protected against this vulnerability as per following updates below. Deep Security update DSRU16-009, released on 12th April 2016:
- 1007584 - SAMBA RPC Authentication Level Downgrade Vulnerability
- 1007586 - SAMBA RPC Authentication Level Downgrade Vulnerability - 1
- 1007593 - Identified SAMBA DCERPC AUTH LEVEL CONNECT Password Validate Request
- 1007531 - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
- 1007539 - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1
- 1007561 - Identified Windows DCERPC AUTH LEVEL CONNECT Password Validate Request
TippingPoint customers are protected from this vulnerability with the following MainlineDV filter available today:
- 24259: RPC: Windows SAMR Man-in-the-Middle Vulnerability (Badlock)
- 24260: RPC: SamrValidatePassword Method Using Unencrypted Authentication Level