search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")

Vulnerability Note VU#813296

Original Release Date: 2016-04-12 | Last Revised: 2016-04-14

Overview

The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock".

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128

The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.

From Microsoft's security bulletin MS16-047 for CVE-2016-0128:

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user.

A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's 'Badlock' website.

The CVSS score below is based on CVE-2016-2118.

Impact

A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.

Solution

Apply an update

Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.

Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.

Network administrators may also consider the following workarounds:

Configure SMB for mitigating man-in-the-middle

According to 'Badlock' website, it is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no


Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information

813296
 
Expand all

CVSS Metrics

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 6.9 E:POC/RL:OF/RC:C
Environmental 6.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-2118, CVE-2016-0128
Date Public: 2016-04-12
Date First Published: 2016-04-12
Date Last Updated: 2016-04-14 18:29 UTC
Document Revision: 50

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis