Lucene search

CERTVU:813296

HistoryApr 12, 2016 - 12:00 a.m.

Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")

2016-04-1200:00:00

www.kb.cert.org

179

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.032 Low

EPSS

Percentile

91.1%

JSON

Overview

The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as “Badlock”.

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’) - CVE-2016-2118, CVE-2016-0128

The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.

From Microsoft’s security bulletin MS16-047 for CVE-2016-0128:

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

_To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user. _

A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher’s ‘Badlock’ website.

The CVSS score below is based on CVE-2016-2118.

Impact

A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.

Solution

Apply an update

Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.

Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.

Network administrators may also consider the following workarounds:

Configure SMB for mitigating man-in-the-middle

According to ‘Badlock’ website, it is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product’s manual for more information.