A new vulnerability known as Badlock is ruffling feathers following a cryptic announcement that has triggered another...
debate over responsible disclosure, with a twist that some experts are calling irresponsible.
Though the patches for the "crucial security bug in Windows and Samba" won't be available until April 12, news of the vulnerability was announced three weeks early, thanks to SerNet, a security consulting firm based in Germany.
The bug was found by longtime Samba developer Stefan Metzmacher, who works for SerNet. According to SerNet's announcement, Badlock is "a severe bug that affects almost all versions of Microsoft Windows and Samba."
Patches for Windows and Samba versions 4.4, 4.3 and 4.2 will be released on April 12, Microsoft's next Patch Tuesday. Support for Samba 4.1, which was also subject to the flaw, was discontinued as of March 23.
"The main goal of this announcement is to give a heads-up and to get you ready to patch all systems as fast as possible, and have sys admin resources available on the day the patch will be released," the Badlock website stated, justifying the preannouncement as a way to give administrators extra time to prepare for installing the patches as soon as they are made available.
Hype, or valid vulnerability disclosure?
SerNet's announcement has sparked another discussion over responsible disclosure practices for software vulnerabilities.
"It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it," the website noted. "This process didn't start with the branding -- it started a while ago, with everyone working on fixes."
Experts disagreed over whether the preannouncement, with a companion website and catchy vulnerability name, was a bold-faced attempt on the part of SerNet to capitalize on Metzmacher's discovery -- or a reasonable variation on the responsible disclosure of vulnerabilities, which gives administrators enough time to prepare for the patches when they are available.
"A new development in bug reporting is to create a catchy name and a logo for marketing purposes," said John Bambenek, manager of threat systems for Fidelis Cybersecurity in Waltham, Mass. "In this case, it appears that the people involved were part of the Samba core team, so they are 'in the family,' so to speak. Their motives appear to be awareness and getting a patch released."
While business may be business, some critics called out the announcement as dangerous, because it might give malicious researchers enough information to work with and enough time to find the vulnerability themselves -- and exploit it before the patches are available.
Responsible disclosure or not?
Experts disagreed as to whether or not -- and the degree to which -- the Badlock disclosure is responsible.
"In general, this appears to be a responsible disclosure," Bambenek said. While attackers could be looking for the vulnerability and ways to exploit it before the patches are available, he said that risk should be considered, along with the interests of defenders who need to make patching decisions. "They need information about upcoming vulnerabilities before the patch hits Windows Update."
While he assessed the risk of a malicious actor finding the vulnerability before patches are available as low, Bambenek said if it did happen, "Microsoft and Samba at least know what the vulnerability is ahead of time, and they can use alternative mitigations in the meantime prior to the patch."
"The early Badlock announcement is on the borderline of responsible vulnerability disclosure," said Lane Thames, security researcher at Tripwire Inc., based in Portland, Ore. "There are enough details about this vulnerability that malicious actors who have in-depth knowledge of this software family and underlying protocols could possibly find the vulnerable code."
However, not everyone agreed Badlock is a responsible disclosure.
"I personally don't think that it's a good approach. Awareness is important, but you should not only make people aware of issues, but also provide a solution," said Alexander Polyakov, CTO at application security firm ERPScan, in Palo Alto, Calif. "Researchers who discovered the Heartbleed vulnerability took almost the same actions, but in a right order. First of all, they helped people to fix the issue, and then got recognition for that."
Jacob Williamsfounder of Rendition InfoSec
Suggesting the Badlock vulnerability finders were being insincere in their aim to help administrators, Polyakov said: "In reality, admins will waste several next weeks on useless discussions and worries. They'll be so exhausted and demotivated by endless talks about nothing -- because now, there is no solution or patch -- that by the time the patch is released, they won't pay attention to it."
"Three weeks ahead of the patches being released, that is hardly responsible -- it gave attackers a head start," said Jacob Williams, founder of infosec consulting firm Rendition InfoSec in Augusta, Ga. "As it stands, they tweeted about the vulnerability impact, and the name suggests the portion of the code where the [vulnerability] is at."
Williams, blogging as "MalwareJake," was even more direct when he wrote a scathing post criticizing the timing of the Badlock disclosure, as well as the publicity around it.
What Badlock might be, and what to do about it
The name given to the vulnerability, Badlock, was thought to point to the nature of the vulnerability. For example, security researcher David Litchfield tweeted:
@SwiftOnSecurity Due to name "badlock", I'm guessing controllable mem write after file handle invalidated on broken lock over CIFS.— David Litchfield (@dlitchfield) March 22, 2016
More speculation was based on the description of the vulnerability as "severe," and SerNet's announcement that "attack vectors and exploits will be in the wild in no time" after the disclosure. Some experts concluded the flaw is likely to enable remote code execution; given the need to patch both Windows and Samba, experts suggested the flaw may be found in the Server Message Block (SMB) protocols.
"The scenario that most people following this bug are concerned about is that attackers might discover the vulnerability, then develop exploits for it before the patch has been released," Thames said. "If this vulnerability turns out to be a remote, server-side vulnerability that can be made 'wormable,' meaning that exploitation of the bug could happen with a replication mechanism built-in, an exploit in the wild before a patch is available could lead to significant disruptions due to the large numbers of systems that use SMB."
"If their description is true," Polyakov said, "it means that the vulnerability can be used to create a worm, such as Conficker."
As for what to do about it, experts agreed the key is to limit Windows and Samba exposures. To protect against exploits of a Samba zero-day vulnerability, "the first step would be to ensure that the appropriate Samba/Microsoft services are not exposed to the Internet," Bambenek said.
"Don't allow SMB or NetBIOS where you don't need it," Williams wrote, adding that Layer 3 Access Control Lists and client firewalls would also help. Assuming the vulnerability could be turned into a worm, he wrote, security professionals should prevent SMB traffic leaving the network by blocking TCP ports 135, 139 and 445 at boundary firewalls.
"IT departments should ensure that none of their systems running SMB services are exposed through corporate firewalls to the Internet, unless there is a compelling business reason for doing so," Thames said. "If organizations do have Internet-facing SMB services, then these systems must be identified as the highest of priority for applying the upcoming patch. If this is indeed a vulnerability that impacts the server-side aspect of SMB, then fully functional exploits will likely be developed within a short time after the patch becomes available."
Polyakov also suggested the use of network segmentation to reduce risks from a possible worm based on Badlock, while Williams pointed to private VLANs. "We regularly recommend private VLANs to clients we work with," he wrote. "While they can pose some initial configuration challenges in some environments, we find that those environments are usually poorly architected, with workstations doing jobs much better-suited to servers."
Patch management is also important, especially in the days and weeks before the patches are made available. Williams advised IT professionals to budget enough time to test and apply patches, with an emphasis on testing. "A bad patch here will result in a blue screen. Period. Not a good place to be," he wrote. "Also, don't forget that you may have to patch more than once, especially if [Microsoft] releases a rushed patch out of band, because someone releases an exploit."
Find out more about the pros and cons of network segmentation.