The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock".
CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128
The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.
A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.
Apply an update
Configure SMB for mitigating man-in-the-middle
server signing = mandatory
Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.
This document was written by Garret Wassermann.