7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.032 Low
EPSS
Percentile
91.1%
The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as โBadlockโ.
CWE-757: Selection of Less-Secure Algorithm During Negotiation (โAlgorithm Downgradeโ) - CVE-2016-2118, CVE-2016-0128
The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.
From Microsoftโs security bulletin MS16-047 for CVE-2016-0128:
An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.
_To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user. _
A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcherโs โBadlockโ website.
The CVSS score below is based on CVE-2016-2118.
A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.
Apply an update
Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.
Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.
Network administrators may also consider the following workarounds:
Configure SMB for mitigating man-in-the-middle
According to โBadlockโ website, it is recommended that administrators set these additional options, if compatible with their network environment:
server signing = mandatory
ntlm auth = no
Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall productโs manual for more information.
813296
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 25, 2016 Updated: March 25, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 25, 2016 Updated: April 12, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 14, 2016 Updated: April 14, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 14, 2016 Updated: April 14, 2016
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N |
Temporal | 6.9 | E:POC/RL:OF/RC:C |
Environmental | 6.9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-2118, CVE-2016-0128 |
---|---|
Date Public: | 2016-04-12 Date First Published: |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.032 Low
EPSS
Percentile
91.1%