In mid-March 2016, an unusual announcement was made: It did not detail a vulnerability, but rather mentioned than a vulnerability will be announced on 12 April 2016 that affects Samba and Windows. On 12 April, the vulnerability – branded “Badlock” – was detailed on badlock.org, a website that was registered on 11 March 2016.
This leads us to several questions: “What is Badlock and what is its impact?”, “Why was the announcement delayed by more than a month?”, “Why was this vulnerability given a name?”, and most importantly, “How do we protect ourselves from Badlock?” First, what is Badlock? Badlock.org states that it is a “crucial security bug in Windows and Samba”. The CVE (Common Vulnerabilities and Exposures) numbers CVE-2016-2118 (for Samba) and CVE-2016-0128 (for Windows) reference the Badlock vulnerability. A list of additional CVEs were produced that are related to Badlock by the website.
As for the impact of Badlock, attackers can exploit several vulnerabilities that can lead to Man-in-the-middle attacks or Denial-of-Service attacks. Badlock in itself is an Elevation of Privilege vulnerability. As per Microsoft’s bulletin, the vulnerability is “caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel.” The vulnerability is in the way SAMR protocol handles authentication levels. The Samba advisory states that “A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers”. This leads to the conclusion that the attacker must already have the ability to intercept the network traffic to be able to carry out the MitM attack. Once exploited, the attacker will be able to gain read and write access to SAM database and access password hashes. The attacker can use these credentials to impersonate another user.
Why was the announcement delayed, and why was it given the name Badlock? Although the announcement of the vulnerability took a long time, work had been going on in the background with both Microsoft and Samba teams patching against this set of vulnerabilities. The other controversial issue is the name; Badlock is not classed as a Critical vulnerability, nor was it as widespread as some un-named vulnerabilities and attacks. The name Badlock – which is a generic name chosen by the discoverer - was given it to create awareness of the vulnerability and – according to some sources – to get themselves some attention. While the issue of naming vulnerabilities remains controversial, the risks of being exploited remain very real.
Although it is unknown whether it was exploited in the wild, Badlock has been patched against in many new versions of Samba and Windows. Samba’s releases 4.4.2, 4.3.8, and 4.2.11 protect against the Badlock vulnerability. Doing the most recent Windows update will patch against Badlock as well.