Bugzilla – Bug 971965
VUL-0: CVE-2016-2118: samba: SAMR and LSA man in the middle attacks possible (aka "BADLOCK")
Last modified: 2017-09-14 22:39:31 UTC
bugbot adjusting priority
http://badlock.org/ Badlock Bug Badlock Bug On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th. Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information. Q&A Where to find more information? This page will get updates regularly. Please come back for more information. Who found the Badlock Bug? Badlock was discovered by Stefan Metzmacher. He's a member of the international Samba Core Team and works at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem.
=============================================================== == Subject: SAMR and LSA man in the middle attacks possible == == CVE ID#: CVE-2016-2118 (a.k.a. BADLOCK) == == Versions: Samba 3.6.0 to 4.4.0 == == Summary: A man in the middle can intercept any DCERPC == traffic between a client and a server in order to == impersonate the client and get the same privileges == as the authenticated user account. This is == most problematic against active directory == domain controllers. == =========================================================== =========== Description =========== The Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol. These protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member, domain controller. Any authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server. The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection. As a result, a man in the middle is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information. Samba running as an active directory domain controller is additionally missing checks to enforce PKT_PRIVACY for the Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi) and the BackupKey Remote Protocol [MS-BKRP] (backupkey). The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver) is not enforcing at least PKT_INTEGRITY. =================== New smb.conf option =================== allow dcerpc auth level connect (G) This option controls whether DCERPC services are allowed to be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per message integrity nor privacy protection. Some interfaces like samr, lsarpc and netlogon have a hard-coded default of no and epmapper, mgmt and rpcecho have a hard-coded default of yes. The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. This option yields precedence to the implementation specific restrictions. E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. Default: allow dcerpc auth level connect = no Example: allow dcerpc auth level connect = yes ======================= Binding string handling ======================= The default auth level for authenticated binds has changed from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY. That means ncacn_ip_tcp:server is now implicitly the same as ncacn_ip_tcp:server[sign] and offers a similar protection as ncacn_np:server, which relies on smb signing. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== You may lower risk by avoiding to login/authenticate with privileged accounts over unprotected networks. Privileged accounts should only be used on the physical console (server) console, so that authentication does not involve any network communication. If the machine is acting as client workstation you may restrict any incoming network traffic by a firewall. =========================== Vendor Specific Information =========================== As this a multi-vendor problem we have decided to use one CVE number per vendor: * For Samba it is CVE-2016-2118 (this one). * For Windows see CVE-2016-0128. ======= Credits ======= This vulnerability was discovered and researched by Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org). He provides the fixes in collaboration with the Samba Team.
Is public: https://www.samba.org/samba/security/CVE-2016-2118.html
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available. Category: security (important) Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Server 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise High Availability 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Desktop 12 (src): samba-4.2.4-18.17.1
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE OpenStack Cloud 5 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager Proxy 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Server 11-SP4 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): samba-3.6.3-76.1
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Server 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise High Availability 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Desktop 12-SP1 (src): samba-4.2.4-16.1
This is an autogenerated message for OBS integration: This bug (971965) was mentioned in https://build.opensuse.org/request/show/389319 13.2 / samba
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Leap 42.1 (src): samba-4.2.4-15.1
This is an autogenerated message for OBS integration: This bug (971965) was mentioned in https://build.opensuse.org/request/show/389520 Factory / samba
Is there expected to be an update or backport for 13.1 systems that are still running samba 4.1?
yes, the evergreen team will issue an update as far as I read their mailinglists.
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): samba-3.6.3-52.1, samba-doc-3.6.3-52.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): samba-3.6.3-52.1
statement from samba team: CVE-2016-2118: This is "badlock" itself, and it does not apply before samba 3.6, because it requires an authorization level that is not supported until 3.6 (auth_level_connect). So this particular vulnerability simply isn't there i am adding this note: CVE-2016-2118 "This security feature that is affected by this bug was added in the Samba 3.6 series, so only Samba 3.6 and later were affected by this problem. We currently do not plan to backport this security protocol to older versions of Samba."
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.2 (src): samba-4.2.4-34.1
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.1 (src): samba-4.2.4-3.54.2
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Evergreen 11.4 (src): samba-3.6.3-141.1, samba-doc-3.6.3-141.1
Are we done here?
think so