Badlock Bug Looms Large as April Deadline Nears

NEWS ANALYSIS: A new flaw in Samba and Windows Server Message Block protocol gets predisclosure bug branding, but that's not necessarily a bad thing.

Badlock bug

There is a new branded security vulnerability known as Badlock on the horizon, complete with its own Website and logo. Badlock is a currently unknown vulnerability in the open-source Samba project that enables interoperability for file and folder sharing between Linux and Windows environments. Full disclosure and a patch on the Badlock vulnerability is currently scheduled for April 12.

Samba makes uses of the Server Message Block (SMB) and Common Internet File System (CIFS) protocols to enable interoperability, but it's not yet clear where the precise Badlock vulnerability lies.

"Please get yourself ready to patch all systems on this day," the Badlock Website warns. "We are pretty sure that there will be exploits soon after we publish all relevant information."

Although no details are yet available on the precise nature of the Badlock bug, there is some credibility behind it, as it was discovered by Stefan Metzmacher, who is a member of the Samba Core Team and currently works for German IT services firm SerNet. Metzmacher reported the vulnerability directly to Microsoft, which would seem to indicate that the flaw is not just an open-source Samba issue, but also one that will directly impact SMB/CIFS in general across Windows servers.

The bug is set to be officially patched on April 12, the next regularly scheduled Microsoft Patch release date. This suggests that the flaw will impact Windows users directly. Given the broad deployment of SMB/CIFS and Samba across servers, storage devices and endpoints, a critical flaw is likely to have widespread potential impact.

The timing also is a bit interesting as the open-source Samba project just announced its 4.4.0 release March 22. Among the new capabilities in Samba 4.4.0 is an improvement in the smbstatus command.

"'smbstatus was enhanced to show the state of signing and encryption for sessions and shares," the Samba 4.4.0 release notes state.

The Branded Bug

The most controversial aspect of the Badlock bug is the fact that it's branded already, weeks prior to any formal disclosure. The Badlock bug site is even based on the same Website template as was used for Heartbleed—one of the most famous branded vulnerabilities.

First disclosed April 7, 2014, Heartbleed, or CVE-2014-0160, is a flaw in the Heartbeat function of the open-source OpenSSL crytpographic library. With Heartbleed, there was a branded Website the day of the disclosure that included information about the vulnerability; the timing of the branding was a first.

The trend of creating brand names for vulnerabilities has accelerated in the post-Heartbleed era, with Shellshock, Sandworm, POODLE, DROWN and others crowding the information security landscape. Badlock is different because the branding is happening before the actual disclosure.

Preannouncing a flaw to generate hype and interest is not an entirely new phenomenon. Back in 2008, security researcher Dan Kaminsky warned about a Domain Name System security vulnerability 30 days before a patch or formal disclosure was made public.

While over-hyping security vulnerabilities is not necessarily a good thing, the early Badlock branding might turn out to be very helpful.

Samba can sometimes be a challenging technology to deploy properly in an organization, aligning the right policies and access to limit potential security risks from unauthorized access. While the full details of Badlock are not yet known, it's probably a good idea for Samba users today to make sure they are upgraded to version 4.4.0 and, more importantly, have double-checked access and privilege configurations.

While bugs are never a good thing, many breaches are the result of software misconfiguration. In that respect, the scrutiny that this new flaw brings to Samba overall will hopefully get server administrators around the world thinking seriously about file server security today.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.