Badlock Flaw Disclosed as Microsoft Issues 13 Security Advisories

The much-hyped Badlock bug is officially revealed, but it's not the most critical item for enterprises to be concerned about.

Badlock flaw

The Badlock vulnerability that affects both Microsoft Windows users as well as open-source Samba users on Linux is officially being disclosed and patched today.

The Badlock vulnerability first gained notoriety, thanks to a branded Website and logo that emerged in early March, warning of flaws in Server Message Block (SMB) and Common Internet File System (CIFS) protocols used in Windows as well as in Samba to enable file-sharing interoperability.

Badlock, however, is only one of multiple security issued that are being patched today as part of Microsoft's Patch Tuesday. Badlock is actually a series of vulnerabilities, including CVE-2016-2118 in Samba and CVE-2016-0128 on Windows. The vulnerabilities could potentially enable man-in-the middle (MITM) as well as denial-of-service (DoS) attacks against vulnerable Windows or Samba users.

"Badlock was meant to be a rather generic name and does not point to any specifics," the Website states. The early hype, including a logo and a branded Website to highlight the badlock flaw, generated backlash from parts of the security community.

For Linux vendor Red Hat, which includes Samba in its Red Hat Enterprise Linux, Fedora and CentOS Linux distributions, Badlock is actually somewhat of a success story. In the aftermath of the Heartbleed flaw two years ago, there was some criticism about open-source collaboration and security. Since then, there has been a strong focus on trying to find and fix vulnerabilities before they become large issues. Josh Bressers, security strategist at Red Hat, commented that Badlock is one more potentially dangerous exploit that was identified and addressed by the open-source community before it caused significant damage to the broader connected world.

"Working closely with the community over many months, Red Hat engineers have been heavily involved in the process of analyzing and developing Samba patches for Badlock-associated issues," Bressers told eWEEK. "Red Hat developers have coordinated with Microsoft, SerNet and others to provide responsible disclosure of Badlock to the industry."

In terms of severity, Red Hat sees Badlock itself as an important vulnerability, but the resulting Samba security issues are absolutely critical, he said.

"Samba is included in virtually every Linux distribution, including Red Hat Enterprise Linux, Fedora and CentOS, so we highly recommend that systems be updated as soon as possible to address any potential problems," Bressers said.

From a Microsoft perspective, the Badlock vulnerability is addressed in the MS16-047 update as part of April's Patch Tuesday releases. Microsoft refers to the vulnerability as a Windows RPC downgrade issue.

"An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect them adequately," Microsoft warns in its advisory. "The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel."

Wolfgang Kandek, CTO of Qualys, commented that Badlock overall seems less scary than the industry was led to believe.

"It's still worth patching, but the MITM position makes it certainly harder to exploit than some of the other vulnerabilities this month," Kandek told eWEEK.

The Badlock vulnerability is one of 13 advisories that Microsoft has for its April Patch Tuesday update. Among them are security bulletins for both Microsoft Internet Explorer and Edge Web browsers.

Kandek said he was surprised that this month Edge has the same number of vulnerabilities as IE, and in fact the Edge vulnerabilities are a little bit more critical. The MS16-037 update for Internet Explorer patches six vulnerabilities (CVE-2016-0154, CVE-2016-0159, CVE-2016-0160, CVE-2016-0162, CVE-2016-0164 and CVE-2016-0156). The MS16-038 bulletin details six vulnerabilities (CVE-2016-0154 through CVE-2016-0161) in Edge.

Although there is some overlap between the IE and Edge vulnerabilities, CVE-2016-0158 is unique in Edge, and is particularly troublesome, said Karl Sigler, manager, SpiderLabs Threat Intelligence at Trustwave. The CVE-2016-0158 issue is a Universal Cross-Site Scripting (UXSS) flaw that could enable an attacker to inject arbitrary code into any Website a user might load, he added. One of the early promises with Edge was that it would be more secure than IE, though Edge has definitely had its share of security issues, Sigler said.

"Given that it's supposed to be the more secure replacement for IE, it's a bit disheartening to see it with critical vulnerabilities month after month," Sigler told eWEEK. "Some of them are shared jointly by IE and Edge, but many of them are simply Edge-specific."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.