A few weeks ago, we wrote about an unusual sort of vulnerability called Badlock.
It was unusual because the vulnerability was super-secret, in order that it could be fixed before crooks found out how to use it to our collective detriment.
Yet it was very publicly super-secret, with a logo, a landing page, and some breathless prose like this:
Weighting to the respective interests [sic] of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.
It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it.
The good news is that the fixes are available now, both from Microsoft (where the bug is known as CVE-2016-0128 and listed as MS16-047) and from Samba (where it is denoted CVE-2016-2118).
Expecting the worst
When the Badlock landing page appeared, walking its self-confessed thin line between attention and overhype, it told us that the bug affected Windows and Samba, and was so severe you would want to fix it immediately.
Unsurprisingly, a lot of us assumed the worst.
It certainly sounded like a flaw in the Windows file-sharing protocol originally called SMB (now called CIFS) and its open-source implementation known as Samba.
Perhaps, like Heartbleed, servers could be leached of data at will, just by sending unauthenticated request packets and receiving random file contents in return?
Perhaps, like the bugs behind the CodeRed and Slammer malware in the early 2000s, it was a wormable remote code execution (RCE) exploit, so that anyone with evil intent could let loose a virus that would spread fast through the internet, grabbing system-level powers on every visible file server.
As it turns out, the bug is serious, and affects every supported version of Windows, from Vista and Server 2008 all the way to Windows 10 and Server Core.
Nevertheless, Badlock only warrants a Microsoft threat rating of Important, because it can’t be used for RCE, where crooks on the other side of the world could run malware on your computer without so much as a by-your-leave.
Badlock in reality
Badlock is an elevation of privilege (EoP) vulnerability, the sort of security hole that can certainly be deadly in conjunction with an RCE exploit.
A crook can use the RCE to get inside your network in the first place, albeit with not much power to do anything, and then use the EoP to promote himself to an all-powerful administrative user and go pretty much where he likes, as the attackers in the recent Panama Papers breach seem to have done.
According to Microsoft, the vulnerability allows an attacker who can listen in to your network traffic to intercept some types of Windows logon, performing what is known as a Man in the Middle (MiTM) attack.
By sitting between you and the server for certain types of logon attempt, the crook might be able to harvest your logon credentials, even though they are supposed to be cryptographically protected, in order to hijack your account and logon as you.
If the crooks is currently only a regular user or a guest, but you’re a domain adminstrator, then Badlock might well give him the keys to your entire castle.
What to do?
Usually, when officially-released patches appear, especially when they are for zero-day or easy-to-exploit holes, we say, quite simply, “Patch early, patch often.”
And that’s exactly what we’re saying now.
Patch as soon as you can, and get one step ahead of the crooks.
💡 LEARN MORE: The Badlock controversy ►
💡 LEARN MORE: SophosLabs vulnerability assessments ►
From EoP to RCE: learn more about vulnerabilities in our Sophos Techknow podcast
(Audio player above not working? Download, or listen on Soundcloud.)
One comment on “Badlock revealed – probably not as bad as you thought”
Along with the phrase “Patch early, patch often,” the unspoken addendum is “as early as the patch is available.” For Linux users, the Samba patch was available almost immediately, a la Apple iOS updates. In this situation, waiting on Microsoft to release the fix on Patch Tuesday is akin to the Android user waiting on the carrier and phone manufacturer for their security updates. What I find ironic is that iOS and Windows are both closed source, while Android is a stepchild of Linux. I guess this just illustrates that patch deployment ultimately is as much of an management/executive/policy issue as it is a technical issue (and even then, the two aren’t necessarily mutually exclusive).