System administrators who'd spent the past three weeks on high alert over a mysterious Samba vulnerability can stand down. Not only did Badlock turn out to be a marketing ploy to drum up interest in a ho-hum man-in-the-middle and denial-of-service vulnerability, it also distracted administrators from real vulnerabilities demanding attention.
The pre-release announcement in mid-March coyly hinted at a "crucial" security vulnerability in Samba, an open source implementation of the SMB (server message block) protocol that provides file and print services for Windows clients.
Based on the name and the suggestion that it would be easily exploitable, many experts postulated Badlock was a remote code execution flaw that could be used to create a worm capable of spreading across open file shares.
The reality was far less frightening, as Badlock is merely a man-in-the-middle attack against file and print services on Windows and Linux systems that could lead to privilege escalation or denial of service.
Microsoft rated Badlock, which affects the Windows implementation of the SMB/CIFS protocol (CVE-2016-0128), as "important" in its Patch Tuesday advisory. The base score is 7.1 under the Common Vulnerability Scoring System. The SMB protocol itself is not affected. The bug to end all bugs? Not by a long shot.
Overhyped and underdelivered
Microsoft said attackers would be able to login as another user only for applications or products using SAM (Security Account Manager) or LSAD (Local Security Authority Domain Policy) remote protocols. SAM provides management functionality for an account store or directory containing users and groups, and it exposes the "account database" for both local and remote Microsoft Active Directory domains. LSAD manages machine and domain security policies.
"As a result of this exploit, the attacker would be able to gain read/write access to the Security Account Manager database, potentially revealing all user passwords and other sensitive information," Red Hat warned in its Badlock advisory.
The Badlock vulnerability in open source Samba affects SAMR and LSA (CVE-2016-2118). It may not be a drop-everything-and-patch flaw, but administrators should still take care of the updates, since exploits will surface eventually.
There are seven other CVEs in Samba related to Badlock, and Red Hat rated them as critical: multiple errors in DCE-RPC code (CVE-2015-5370); vulnerability in negoritation of NTLMSSP, which allows for a downgrade attack (CVE-2016-2110); a NETLOGON spoofing vulnerability (CVE-2016-2111); the LDAP client and server not enforcing integrity (CVE-2016-2112); missing TLS certificate validation (CVE-2016-2113); a vulnerability in how server signing is enforced (CVE-2016-2114); and SMB IPC traffic not being protected (CVE-2016-2115). Microsoft had protections against this type of downgrade attacks in Windows Vista, and the Samba issues are specific to versions 3.0.0 to 4.4.0.
While an attack against Samba or Microsoft's implementation of SMB protocol is not a trivial matter, Badlock won't be as serious as past attacks against SMB/CIFS. The most likely scenario with Badlock is one of an internal user who can intercept and modify network traffic in transit. The user would then be able to gain privileges equivalent to the intercepted user.
"An attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage," said Tod Beardsley, a security researcher manager at Rapid7.
Hype overshadows more serious issues
Setting aside the questionable ethics of overhyping a bug simply to get publicity for the company that coordinated the fix, this kind of marketing and branding is a problem as it overshadows more serious vulnerabilities. Yes, it's easier for people to keep track of bugs with catchy names, but in this case, they're focused on the wrong flaws.
Microsoft released an update resolving four critical vulnerabilities in Microsoft Graphics Component (MS16-039). Three of the vulnerabilities require the attacker to first log on to the targeted system, and the fourth would rely on the user being tricked into visiting an untrusted Web page containing embedded fonts. Two bugs have already been detected in exploits in the wild (CVE-2016-0165 and CVE-2016-0167), making this a higher priority than Badlock.
"Whilst MS16-039 lacks the logo, catchy name, and theme tune, it does have the potential to lead to the execution of unauthorized code on a target," said Gavin Millard, the EMEA technical director at Tenable Network Security.
Last week, Adobe released an out-of-band update to address zero-day vulnerabilities in Flash Player that were being exploited by a ransomware kit. Microsoft didn't update Flash in its browsers until this week, which means those users were vulnerable for an extra five days. Applying the Internet Explorer Cumulative update should be a bigger priority than Badlock.
Security teams already had set aside time to address Badlock -- use the scheduled window to test and apply updates for the real issues instead.