Nsfocus continued focus on domestic security trends, as early as 3 months when first released BadLock threat warning notices. 4 on 1 on 2, Microsoft patch day schedule. At this time Microsoft released the patch, contains a BadLock vulnerability that can be on a windows System and the Samba service are full versions of the pass to kill, the degree of harm should not be underestimated. For this, nsfocus for BadLock vulnerability of the technology to track analyze and provide appropriate protective recommendations.
BadLock timeline tracking
International Samba Core Team Member Stefan Metzmacher found Microsoft Windows platforms and the Samba service software in the presence of a serious level of securityvulnerability, named for the BadLock it.
Samba is an implementation of the SMB（Server Message Block, service information, block/CIFS(Common Internet File System, common Internet File System)Network File Sharing Protocol of free and open source software that can run on most of theoperating system, including Windows, Unix, IBM System and the OpenVMS, etc. Samba allows non-Windows platforms use the same networking Protocol with Windows products for communication, network resource sharing.
BadLock impact level
For BadLock, you can refer to the following:
With BadLock associated with the CVE list is as follows:
! CVE list
The CVE list
BadLock is mainly refers to the SAM Security Account Manager and the LSAD（Local Security Authority Domain Policy Protocol in the presence of the man in the middle attacksvulnerability.
SAM and LSAD are based on General DCE/RPC user-level Protocol, is used for all windows systems and Samba server. Under windows SAM and LSAD Protocol provides a local account storage management, remote user authentication and other functions. For example, when the administrator remote login to the windows machine will use to SAM and LSAD to.
BadLock noted that the securityvulnerabilitycan lead to an attacker illegal access to the remote machine authentication. When a client initiates the remote machine connection and obtain an authenticated connection, regardless of the user choose what kind of application Protocol, authentication type, such as Kerberos or NTLMSSP and the authentication level of NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY, the attacker can intercept the flow of the case-middle attack, will it downgrade to no encryption the CONNECT authentication level, thereby replacing the legitimate user's connection. If the network administrator remote access to the domain control server when the traffic is intercepted, the attacker can obtain the domain controller server on the SAM data read and write permission, thus stealing the domain controller server on the user's password hash and other sensitive information.