Vulnerability Note VU#813296
Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")
The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock".
CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128
The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.
To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user.
A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's 'Badlock' website.
The CVSS score below is based on CVE-2016-2118.
A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.
Apply an update
Configure SMB for mitigating man-in-the-middle
server signing = mandatory
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||25 Mar 2016||25 Mar 2016|
|Samba||Affected||25 Mar 2016||12 Apr 2016|
|ACCESS||Unknown||14 Apr 2016||14 Apr 2016|
|Fujitsu||Unknown||14 Apr 2016||14 Apr 2016|
CVSS Metrics (Learn More)
Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-2118 CVE-2016-0128
- Date Public: 12 Apr 2016
- Date First Published: 12 Apr 2016
- Date Last Updated: 14 Apr 2016
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.