Vulnerability Note VU#813296

Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")

Original Release date: 12 Apr 2016 | Last revised: 14 Apr 2016

Overview

The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock".

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128

The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.

From Microsoft's security bulletin MS16-047 for CVE-2016-0128:

    An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

    To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user.

A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's 'Badlock' website.

The CVSS score below is based on CVE-2016-2118.

Impact

A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.

Solution

Apply an update

Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.

Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.

Network administrators may also consider the following workarounds:

Configure SMB for mitigating man-in-the-middle

According to 'Badlock' website, it is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no


Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected25 Mar 201625 Mar 2016
SambaAffected25 Mar 201612 Apr 2016
ACCESSUnknown14 Apr 201614 Apr 2016
FujitsuUnknown14 Apr 201614 Apr 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 6.9 E:POC/RL:OF/RC:C
Environmental 6.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2016-2118 CVE-2016-0128
  • Date Public: 12 Apr 2016
  • Date First Published: 12 Apr 2016
  • Date Last Updated: 14 Apr 2016
  • Document Revision: 48

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.