Software Engineering Institute

CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128

The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.

From Microsoft's security bulletin MS16-047 for CVE-2016-0128:

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user.

A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's 'Badlock' website.

The CVSS score below is based on CVE-2016-2118.

A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.

Apply an update

Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.

Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.

Network administrators may also consider the following workarounds:

Configure SMB for mitigating man-in-the-middle

According to 'Badlock' website, it is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.