​Badlock: Patch your Samba and Windows server now

The Badlock security holes are as bad as bad can be. You should patch your Samba-and Windows-servers immediately.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

When German firm SerNet announced that there were major flaws in the Windows Server file server and its open-source brother Samba, many people sneered at the news. They thought a company specializing in Samba support announcing a bug fix to Samba was little more than self-promotion. It was that too, but the Samba and Windows file server and administration tools problems are real and potentially deadly.


Badlock, silly name and all, masks a deadly Samba and Windows security problem.

That's because, as Jeremy Allison, a Google storage and open-source engineer and a senior Samba developer, explained, "This is a protocol-level vulnerability." Specifically, "the Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol."

Or, in other words, Allison said, "This is really bad and you really must patch it. It affects everyone running these RPC [remote procedure call] services. Because of design decisions going back to Windows NT, every single file server uses it and they must all be patched. Since the RPCs are also used for remote admin access pretty much all Windows and Samba servers are vulnerable."

Red Hat agrees. The company states that it "views Badlock's related security issues as 'critical' and has issued several advisories and patches. We recommend patching affected systems as soon as possible."

To be exact, Badlock is a protocol vulnerability that allows man-in-the-middle (MITM) attacks to impersonate an authenticated user against Microsoft Active Directory. All versions of Samba are affected. If exploited, an attacker would be able to gain read/write access to the Security Account Manager (SAM) database, potentially revealing all user passwords and other sensitive information.

Further, these protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the SAM database. It doesn't mater how you're running your server. It can be in standalone mode, a domain member, or an AD domain controller. Regardless of how you run your server, it can all be attacked.

What's worse is that any authenticated DCERPC connection a client initiates against a server can be used by a MITM to impersonate the authenticated user against the SAMR or LSAD service on the server.

What about your security? It won't help. According to the Common Vulnerabilities and Exposure (CVE) "the client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection."

Besides being used to hack the SAM, it can also be used for denial of service attacks on both the DCE-RPC client and server implementations. It can be used against Samba in all possible server roles. This is a security hole that just keeps on giving. In the case of Samba, all versions of Samba from 3.6.0 to 4.4.0 are vulnerable.

For Windows, Microsoft states, "This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10." While Microsoft doesn't mention it, it also hits all earlier, no longer supported versions of Windows since Windows NT. If you ever needed a serious security reason to upgrade your older versions of Windows, you now have one.

If you want to patch Samba by hand, Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available now. To quote the Badlock site, "Please update your systems. We are pretty sure that there will be exploits soon." You think!?

Related Stories:

Editorial standards