Earlier this month saw the end of operations for a group known as the Shadow Brokers (who were responsible for the disclosure of critical security vulnerabilities in enterprise networking infrastructure). Their online auction of exploits remains open.
Among the exploits for sale is a possible zero day (defined) SMB (defined) exploit for Windows. With the potential use of this exploited predicted, the US-CERT issued a security advisory, which suggested disabling SMB version 1 and disabling the use of SMB version 2 at the network perimeter (preventing external access or internal traffic reaching outside of the corporate network). As previously noted on this blog, securing the use of SMB version 2 in this manner will also protect against the Redirect to SMB vulnerability.
These recommendations should better secure your corporate network against this exploit as well as future vulnerabilities.
Yesterday as scheduled the Samba project and Microsoft made available their security updates to resolve the issue that was previously announced and named “Badlock.”
Why Should These Issues Be Considered Important?
While this issue is important (it affects a lot of Windows version from Server 2008/Vista up to and including Windows Server 2016/Windows 10), it’s severity was exaggerated in it’s announcement last month. Microsoft have assigned it an important severity rather than critical. They have done so since it is an elevation of privilege (EoP) (defined) issue that would allow an attacker to increase their privileges (which would allow them to cause even more harm) once they have already exploited another vulnerability to become present on your device in the first instance.
This vulnerability could allow an attacker to listen/analyse the traffic on your network; this technique is known as a man-in-the-middle-attack (MITM, defined). If your login credentials happened to be within the traffic the attacker gathers and analyzes there is a possibility they could obtain the unencrypted username and password used to access your device/account upon that device (even though your sensitive information is encrypted). Further discussion of this issue is available here.
How Can I Protect Myself from These Issues?
Updates from the Samba project and Microsoft are available to resolve this security issue. Please download and install them as soon as possible if you are affected by this issue.
Update: 13th April 2016:
Further information and advice for mitigating the Badlock issue is provided by US CERT in this vulnerability note. The Samba project also discusses its updated software releases in this release news post.
While there are no known issues with these updates at this time, as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.
Update: 13th April 2016:
Further details as well as updates to resolve the Badlock issue are discussed in a more recent blog post.
Earlier this week an announcement was made by SerNet (a Samba consulting company who set up the Badlock website) that a critical security update would be made available on the 12th of April to address a vulnerability in the SMB/CIFs protocol (defined below) that is the basis of the open source Samba project. The 12th of April is the well-known second Tuesday of the month known as Update Tuesday (or Patch Tuesday) when Adobe, Microsoft and others commonly make available security updates on a scheduled basis.
Some advice that you can follow to better prepare for this update being made available is described in this SANS blog post as well as this very informative and practical InfoWorld article. Further background on this announcement can be found here.
I will publish another blog post on or very soon after the 12th of April to provide the appropriate information for you to address this vulnerability in a timely manner.
What is the SMB/CIFS protocol?
The Server Message Block (SMB) protocol is also referred to as the Common Internet File System (CIFS) is an application layer (layer 7 of the OSI model) protocol that allows the sharing of printers but mainly provides file access/transfer in a Microsoft network using mapped network drives. Further features of SMB/CIFS are detailed in this Sophos blog post.
Samba is an open source (the source code (human readable code) is free to view and edit by the wider IT community) application that provides the above mentioned network services across Linux/Unix and Microsoft servers/clients.