Executive Summary

Summary
Title Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")
Informations
Name VU#813296 First vendor Publication 2016-04-12
Vendor VU-CERT Last vendor Modification 2016-04-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#813296

Microsoft Windows and Samba may allow spoofing of authenticated users ("Badlock")

Original Release date: 12 Apr 2016 | Last revised: 14 Apr 2016

Overview

The Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as "Badlock".

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - CVE-2016-2118, CVE-2016-0128

The SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows.

From Microsoft's security bulletin MS16-047 for CVE-2016-0128:

    An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.

    To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user.

A number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's 'Badlock' website.

The CVSS score below is based on CVE-2016-2118.

Impact

A remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack.

Solution

Apply an update

Affected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible.

Affected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest bugfix release (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates.

Network administrators may also consider the following workarounds:

Configure SMB for mitigating man-in-the-middle

According to 'Badlock' website, it is recommended that administrators set these additional options, if compatible with their network environment:

server signing = mandatory
ntlm auth = no


Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected25 Mar 201625 Mar 2016
SambaAffected25 Mar 201612 Apr 2016
ACCESSUnknown14 Apr 201614 Apr 2016
FujitsuUnknown14 Apr 201614 Apr 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.8AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal6.9E:POC/RL:OF/RC:C
Environmental6.9CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://badlock.org/
  • https://www.samba.org/samba/security/CVE-2016-2118.html
  • https://www.samba.org/samba/latest_news.html#4.4.2
  • https://technet.microsoft.com/library/security/MS16-047
  • https://isc.sans.edu/forums/diary/Getting+Ready+for+Badlock/20877/
  • http://cwe.mitre.org/data/definitions/757.html

Credit

Credit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-2118CVE-2016-0128
  • Date Public:12 Apr 2016
  • Date First Published:12 Apr 2016
  • Date Last Updated:14 Apr 2016
  • Document Revision:48

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/813296

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-254 Security Features

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 327
Os 6
Os 2
Os 1
Os 1
Os 1
Os 1
Os 1
Os 2
Os 2
Os 1

Snort® IPS/IDS

Date Description
2016-05-12 DCERPC Bind auth level packet privacy downgrade attempt
RuleID : 38462 - Revision : 2 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2016-1014.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201612-47.nasl - Type : ACT_GATHER_INFO
2016-05-26 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2950-5.nasl - Type : ACT_GATHER_INFO
2016-05-19 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2950-4.nasl - Type : ACT_GATHER_INFO
2016-05-12 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL37603172.nasl - Type : ACT_GATHER_INFO
2016-05-05 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2950-3.nasl - Type : ACT_GATHER_INFO
2016-05-02 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2950-2.nasl - Type : ACT_GATHER_INFO
2016-04-22 Name : The remote Fedora host is missing a security update.
File : fedora_2016-383fce04e2.nasl - Type : ACT_GATHER_INFO
2016-04-21 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-490.nasl - Type : ACT_GATHER_INFO
2016-04-19 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2950-1.nasl - Type : ACT_GATHER_INFO
2016-04-18 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2016-106-02.nasl - Type : ACT_GATHER_INFO
2016-04-18 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-462.nasl - Type : ACT_GATHER_INFO
2016-04-15 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1028-1.nasl - Type : ACT_GATHER_INFO
2016-04-15 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1024-1.nasl - Type : ACT_GATHER_INFO
2016-04-15 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1023-1.nasl - Type : ACT_GATHER_INFO
2016-04-15 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1022-1.nasl - Type : ACT_GATHER_INFO
2016-04-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0614.nasl - Type : ACT_GATHER_INFO
2016-04-14 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-453.nasl - Type : ACT_GATHER_INFO
2016-04-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-be53260726.nasl - Type : ACT_GATHER_INFO
2016-04-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-48b3761baa.nasl - Type : ACT_GATHER_INFO
2016-04-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3548.nasl - Type : ACT_GATHER_INFO
2016-04-14 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-686.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160412_samba_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160412_samba_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0612.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-0611.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-0612.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-0613.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-0621.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_a636fc2600d911e6b704000c292e4fd8.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Windows host is affected by an elevation of privilege vulnerability.
File : ms16-047.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-0611.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-0612.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-0613.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-0621.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0611.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0613.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0618.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0619.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0620.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0621.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0623.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-0624.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Samba server is affected by multiple vulnerabilities.
File : samba_4_3_7.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : An SMB server running on the remote host is affected by the Badlock vulnerabi...
File : samba_badlock.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160412_samba3x_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2016-04-13 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20160412_samba_and_samba4_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-04-12 Name : The remote Windows host is affected by an elevation of privilege vulnerability.
File : smb_nt_ms16-047.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2016-07-22 13:38:25
  • Multiple Updates
2016-07-07 21:27:02
  • Multiple Updates
2016-04-14 21:25:24
  • Multiple Updates
2016-04-13 21:29:42
  • Multiple Updates
2016-04-13 05:28:17
  • Multiple Updates
2016-04-12 21:23:31
  • First insertion