Badlock Vulnerability Falls Flat Against Hype (threatpost.com) 21
msm1267 quotes a report from Threatpost: Weeks of anxiety and concern over the Badlock vulnerability ended today with an anticlimactic thud. Badlock was the security boogeyman since the appearance three weeks ago of a website and logo branding the bug as something serious in Samba, an open source implementation of the server message block (SMB) protocol that provides file and print services for Windows clients. As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it's a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services. SerNet, a German consultancy behind the discovery of Badlock, fueled the hype at the outset with a number of since-deleted tweets that said any marketing boost as a result of its branding and private disclosure of the bug to Microsoft was a bonus for its business. For its part, Microsoft refused to join the hype machine and today in MS16-047 issued a security update it rated 'Important' for the Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD). The bulletin patches one vulnerability (CVE-2016-0128), an elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels, Microsoft said. An attacker could then impersonate an authenticated user.
Was it because if you're talking MS protocols... (Score:2)
Re: (Score:2)
Unless I'm misunderstanding something here, the "thud" mean "who would open a SMB service to the internet anyway?" That's why some security people were confused why they were making such a big deal over a SMB vulnerability. Needs to be fixed, yes, but not a huge deal, since that's typically a service only exposed to your own intranet.
Re:Was it because if you're talking MS protocols.. (Score:5, Informative)
It's not an SMB protocol bug. It's a generic flaw in the DCE RPC protocol used for all RPC services on Windows and specifically to administer Active Directory Domain Controllers. That's why we really want people to patch (both Samba *and* Windows users).
Re: (Score:1)
This is not a minor bug. Exploiting this bug allows you to impersonate the domain administrator. That then allows you to extract all passwords for all users in the domain.
Re: (Score:2)
No matter which way you cut it, you need to be inside the domain, already, to start exploiting this. If you're already in the domain, then the victim already has problems. Not saying t
Re: (Score:1)
You can not extract the users plaintext passwords. But you can most definitely extract the kerberos secrets for the users which is just as good as the plaintext passwords themselves.
ktexport.exe for example.
See here for more tools to dump the secrets for all users from DC/ADS. You have to be domain admin though.
Samba also has their own tools to dump all the secrets to a keytab so that it can be imported into wireshark.
It is VERY useful to be able to decrypt kerberos protected DCE/RPC traffic when debugging
Re: (Score:2)
Re: (Score:2)
Red Hat has a different view - and it's not hype (Score:4, Informative)
It's a relief I guess (Score:4, Insightful)
I was anticipating the worst and so it's good that we can just continue with our normal patch cycle.
Shame on SerNet for causing undue stress in Windows admins everywhere... jerks
How Badlock Was Discovered and Fixed (Score:2)
Fantastic article from Alexander Bokovoy on
how this thing was found and fixed !
http://rhelblog.redhat.com/201... [redhat.com]