BadLock Opens Door for Samba-based MiTM, DDoS Attacks

BadLock Opens Door for Samba-based MiTM, DDoS Attacks

Details of a new, high-impact vulnerability known as BadLock have been revealed, affecting Samba, the standard Windows interoperability suite of programs for Linux and Unix. As the researchers who discovered it noted, “we are pretty sure that there will be exploits soon after we publish all relevant information.”

Fortunately, patches have been released today, and admins would behoove themselves to update their systems immediately.

The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team, working at SerNet on Samba. He reported the bug to Microsoft and has been working closely with the computing giant to fix the problem.

The research team said that the security vulnerabilities can be mostly categorized as man-in-the-middle or denial of service attacks.

The several MITM attacks that the flaw enables would permit execution of arbitrary Samba network calls using the context of the intercepted user. So for instance, by intercepting administrator network traffic for the Samba AD server, attackers could view or modify secrets within an AD database, including user password hashes, or shutdown critical services. On a standard Samba server, attackers could modify user permissions on files or directories.

As far as DDoS, Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.

While there are several proof of concept (PoC) exploits that researchers have developed, they’re not releasing them to the public, nor are they going into detail on what the vulnerability entails or arises from. Red Hat researchers offered a bit more on the flaw:

It is “a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. DCE/RPC is the specification for a remote-procedure call mechanism that defines both APIs and an over-the-network protocol. The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The protocol exposes the “account database” for both local and remote Microsoft Active Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. This protocol, with minor exceptions, enables remote policy-management scenarios. Both SAMR and LSA protocols are based on the DCE 1.1 RPC protocol.”

These protocols are typically available to all Windows installations, as well as every Samba server. They are used to maintain the Security Account Manager database, which applies to all roles (for example, standalone, domain controller or domain member). The flaw thus gives attackers a way to insert themselves into that communications chain, and go on to execute a MiTM or DDoS attack.

The BadLock researchers announced weeks ago that they would be making this announcement and releasing patches, drawing not a little derision for hyping the situation—especially since they went so far as to develop a logo. But the researchers said that they were simply making use of the hash-taggable name to get people interested, talking about it and ready to patch.

“Like Heartbleed, what branded bugs are able to achieve is best said with one word: Awareness,” the researchers noted. “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding—it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.”

Photo © Tatliana Popover

Source: Information Security Magazine