Badlock is Bad - But Could Be WorseBeyond the Hype, Badluck Bugs Will Still Bite, Experts Warn
Behold Badlock, a critical Windows and Samba bug that publicly debuted April 12 to much fanfare - plus predictable accusations of hype, since it arrives backed by its own logo and marketing campaign.
But here's the security challenge: Samba is a free software implementation of SMB - Server Message Block - that facilitates cross-platform file sharing and print services, and which is a default service that runs on most Windows, as well as Unix and Linux-based operating systems. Because of Samba's wide install base, Badlock is bad news.
The Samba security team warns that the nine separate flaws referenced as Badlock could be used for man-in-the-middle attacks, as well as to view or modify Samba servers or Samba Active Directory services, including viewing or modifying users' password hashes or shutting down critical services. They also warn that the flaws could be exploited to create a denial of service, for example if attackers gain either internal or remote access to a Samba service.
Samba 4.4 and earlier are vulnerable, and the Samba team has released fixes in the form of patched versions of Samba 4.2.10 and 4.2.11, 4.3.7 and 4.3.8, and 4.4.1 and 4.4.2 "Pre-4.2 versions have been discontinued," Samba says.
But Tod Beardsley, security researcher manager for security firm Rapid7, advises keeping these new vulnerabilities in perspective. "While we do recommend you roll out the patches as soon as possible - as we generally do for everything - we don't think Badlock is the Bug To End All Bugs (TM)," he says in a blog post. "In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse - or better, depending on your point of view - attacks they may leverage."
In part, that's because Samba tends to only be enabled and used on internal networks. And attackers with internal access to the network don't necessarily need to bother with the somewhat technologically advanced attack that would be required to exploit Badlock. "The most likely attack scenario is an internal user who is in the position of intercepting and modifying network traffic in transit to gain privileges equivalent to the intercepted user," Beardsley says. "While some SMB/CIFS [Common Internet File System] servers exist on the Internet, this is generally considered poor practice, and should be avoided anyway."
Microsoft Patches Samba
The Samba team purposefully released its updates the same day that Microsoft released its monthly collection of patches, including MS16-047, which Microsoft says patches Badlock-related flaws in all versions of Windows. Microsoft has released updates for all supported versions of Windows, from Windows Vista and Windows 10, and Windows Server 2008 to Windows Server 2012 R2.
While Microsoft only rates the Badlock flaws as "important" - not "critical" - Rapid7's Beardsley cautions that there are plenty of serious vulnerabilities that have been patched and predicts that related exploits will soon be developed for the open source Metasploit penetration-testing toolkit, which Rapid7 maintains. "You can bet that exploit developers around the world are poring over the Samba patches now," he says, to reverse-engineer them.
Researchers Defend Logo
A team from both Samba and Microsoft say the Badlock-related fixes come after months of related development efforts. They've also defended their decision - in the wake of Heartbleed, Shellshock and a bevy of other branded vulnerabilities - to give this vulnerability its own unique name and logo.
"This process didn't start with the branding - it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up," the group says on the badlock.org site.
The group adds: "What branded bugs are able to achieve is best said with one word: awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs."
Warning: Old Applications May Break
Because of the large number of fixes involved, the Samba team is warning that patched versions of Samba may no longer work with older software. As a result, IT groups will need to carefully test new versions of any software they use that includes Samba once vendors take the patches that were released April 12, update their software and distribute it to customers.
"The number of changes [is] rather huge for a security release, compared to typical security releases. Given the number of problems and the fact that they are all related to man-in-the-middle attacks, we decided to fix them all at once instead of splitting them," Samba says in its update notes. "The security updates include new [SMB configuration] options and a number of stricter behaviors to prevent man-in-the-middle attacks on our network services, as a client and as a server. Between these changes, compatibility with a large number of older software versions has been lost in the default configuration."
More Critical Flaws From Microsoft
In other vulnerability news, Microsoft this month patched 31 separate flaws by releasing 13 updates for Windows, including a fix for critical vulnerabilities in Internet Explorer that could be exploited by attackers to take full control of a system, as well as in the Edge browser, which could allow an attacker to gain the same access rights as a user. "Do not forget that Microsoft only patches the newest browser for each operating system: that means IE11 for Windows 7 upwards, IE9 for Vista, and IE10 for Windows server 2012," Wolfgang Kandek, CTO of security firm Qualys, says in a blog post.
This month's other critical Microsoft updates patch a bug - designated CVE-2016-0127 - in Microsoft Office that could be used by attackers to remotely execute arbitrary code without user interaction. The flaw "is a remote-code execution vulnerability in the RTF file format, which [appears] automatically in the Outlook preview pane and can give the attacker [remote code execution] with a simple email," Kandek says. "If you can afford it, harden your setup by outlawing RTF emails. You can turn them off with the Office File Block Policy, which works across 2007/2010 and 2013."
Another critical flaw that's been patched is in Microsoft XML Core Services. The bug can allow attackers could use to execute arbitrary code, if they trick users into clicking "a specially crafted link," Microsoft says, for example if displayed on a malicious website.
Adobe Ships Patches
Also on April 12, Adobe released updates to patch flaws in its help authoring tool Robohelp, as well as for Creative Cloud Desktop, a hosted service that is used to download Adobe applications such as Photoshop onto users' desktops. That followed Adobe last week releasing an emergency update for Flash, patching a zero-day flaw that was being exploited by at least two crimeware toolkits. Experts recommend immediately upgrading all versions of Flash, or uninstalling the software if it's not required (see Emergency Flash Patch Battles Ransomware).
Microsoft says its April patch updates include the Flash update for "all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10."