ADVISORY: Apply Samba/Windows patches for Badlock Bug

Tuesday, April 12, 2016

This information is intended for U-M IT staff who are responsible for university machines that run Windows (file shares) or Samba. Note that machines running Linux and OSX may provide services through Samba and may therefore also be affected. It was sent via email to U-M IT staff groups on April 12, 2016.

Summary: 

Badlock, an important security bug in Windows and Samba, was disclosed on April 12, and patches were made available. The vulnerability severity is not as high as was initially implied in early reports, but please apply the patches as soon as possible after appropriate testing.

Problem: 

In late March, it was announced that patches for a newly-discovered Samba and Windows vulnerability would be released on April 12. The announcement  implied that severity of the vulnerability would be very high. While the vulnerability does not appear to be as critical as was initially implied, it is still important to apply updates soon, after appropriate testing, due to the possibility that exploitation may begin relatively soon. Successful exploitation could allow an attacker to capture or modify sensitive data or gain administrative rights on a server.

Affected Versions: 

Affected versions of Samba are 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0. Earlier Samba versions have not been assessed.

Affected versions of Microsoft Windows include Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2012, and Windows 10.

Action Items: 

Apply patches from your software vendor after appropriate testing. Prioritize patching for critical systems and systems that store or process sensitive data. We recommend that patching be completed within the next two-three weeks.

Threats: 

There are several man in the middle (MITM) attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. When using a MITM attack that intercepts administrator network traffic for a Samba AS server, it would be possible to view or modify secrets within an Active Directory (AD) database, including user password hashes, or shut down critical services. When intercepting administrator network traffic for a standard Samba server, it would be possible to modify user permissions on files or directories.

In addition to the MITM attacks, Samba services are vulnerable to a denial of service attack from an attacker with remote network connectivity to the Samba service.

Technical Details: 

The Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol. These protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the Security Account Manager Database. This applies to all roles, including standalone, domain member, and domain controller.

Any authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server. The client chosen application protocol, auth type (for example, Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection. As a result, a man in the middle is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information.

Information for Users: 

Users should have their personal Windows computers set to update automatically so that important security updates like these are applied as they become available from Microsoft. MiWorkspace machines will be patched as soon as possible. In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

References: