Engineers at Microsoft and Samba have issued security fixes for the Badlock bug.A website dedicated to the flaw describes Badlock (CVE-2016-2118) as a security vulnerability that affects Windows and Samba versions 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0.“On April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed,” the website explains. “Please update your systems. We are pretty sure that there will be exploits soon.”Attackers can leverage the vulnerability, which received a 7.1 base CVSS score and 6.4 temporal CVSS score, to perform man-in-the-middle (MitM) attacks against protocols used by Samba, which would allow a malicious actor to execute arbitrary Samba network calls using the context of the intercepted user.The flaw also allows an attacker with remote network connectivity to Samba to conduct denial of service (DoS) attacks against Samba services.
Those with affected versions of Samba can fix their systems by implementing the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+.Sysadmins might also choose to put additional MitM and DoS mitigations in place after patching is complete.Badlock was first unveiled to the security community back in the middle of March 2016. It was discovered by Stefan Metzmacher, a member of the international Samba Core Team who works at SerNet on Samba. He reported the bug to Microsoft, and he worked with the Redmond-based company to fix the problem.Industry experts spent several weeks discussing what systems the bug might affect, speculation which helped create an atmosphere of hype and FUD around Badlock.Those responsible for disclosing the bug feel there is some utility to announcing a vulnerability weeks in advance and giving it its own website and logo.“What branded bugs are able to achieve is best said with one word: Awareness,” they observe. “Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs. It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.”Many on Twitter disagree, though some feel Badlock could teach the security community a positive lesson going forward.Let’s all learn from this and find ways to better present vulnerabilities like this in the future. #badlock #worktogether— Ron Stoner (@forwardsecrecy) April 12, 2016For more information on this vulnerability, please see the Badlock website here.