The newest branded vulnerability, Badlock, has prompted a hurricane of reaction from critics over whether the preannounced...
flaw -- one that many speculated could enable serious exploits -- was actually a responsible disclosure, or merely a blatant grab for attention. But, as it turns out, the vulnerability seems to be mostly a nonevent, despite early speculation.
Last month, researchers created a website for Badlock -- a name which turned out to have no significance, according to the researchers -- for a new and "crucial" vulnerability in Windows and Samba. Three weeks later, all questions have been answered.
"It is almost totally hype," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC, in Augusta, Ga., echoing the opinion of most experts.
"The guys behind the Badlock preannouncement, with its shiny little website and fancy name, should be ashamed of the hype they created," said Lane Thames, security researcher from the Vulnerability and Exposure Research Team (VERT) at Tripwire Inc., based in Portland, Ore. "Compared to the attention it got, this is a big letdown."
The researchers behind the Badlock website wrote that they "are pretty sure that there will be exploits soon," but said they believed it was possible that the flaw was already being exploited in the wild.
Badlock vulnerability falls short of expectations
The Badlock flaw, as described in CVE-2016-2118, enables a man-in-the-middle (MitM) attacker to intercept Distributed Computing Environment (DCE) Remote Procedure Call (RPC) traffic "between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against Active Directory domain controllers."
Microsoft released its patch for the Badlock vulnerability in its April 2016 Patch Tuesday release under security bulletin MS16-047, which it rated as important, rather than critical. The bulletin described the flaw as a Windows vulnerability that "could allow elevation of privilege if an attacker launches a man-in-the-middle attack. An attacker could then force a downgrade of the authentication level of the [Security Account Manager (SAM)] and [Local Security Authority (Domain Policy) (LSAD)] channels, and impersonate an authenticated user."
The vulnerability exists in Microsoft's protocols, not in the Server Message Block (SMB) protocol, according to Microsoft. "Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable."
Red Hat also described Badlock as having an important impact -- short of critical -- and wrote that it is "a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure." Red Hat noted that Badlock is an issue in Microsoft's protocols, and it affects all applications that implement them, which includes Samba.
Badlock earned a CVSS base score of 7.1, which is considered a high-severity vulnerability, but just barely: The National Vulnerability Database scoring system labels vulnerabilities as having high severity if their score is between 7.0 and 10.0 -- the most severe.
The experts respond to Badlock
"The Internet waited with bated breath for details on the much-hyped Badlock disclosure only to find today that the hype was, in fact, nothing more than hype," said Craig Young, computer security researcher with Tripwire VERT. "As stated on badlock.org, the weaknesses ... which can be exploited through man-in-the-middle attacks, are well known and have been for some time. My hope is that Badlock will serve as the start of the end for the era of branded vulnerabilities."
Experts were almost universally in agreement that Badlock was mostly hype -- especially considering the high expectations the Badlock researchers set, with such a long run-up to the disclosure. There was widespread expectation Badlock would turn out to enable remote code execution (RCE).
"With the announcement of Badlock three weeks ago, many theorized it might be a critical [RCE] vulnerability that could be used to create a worm, spreading across open file share," said Gavin Millard, EMEA technical director at Tenable Network Security, while the reality was less severe. "Simply put, Badlock is a [MitM] attack against file and print services on Windows and Linux that could lead to privilege escalation or denial of service [DoS]."
Per Thorsheim, founder of PasswordsCon, tweeted the night before the Badlock disclosure:
"It is denial of service on Samba and only an SMB replay attack on Windows. This is an old attack that almost doesn't bear mentioning anymore, as simple network controls -- like switch port security -- prevent it," Williams said.
The response from some experts was disappointment. For example, Chris Graham tweeted:
All that hype just for MITM and denial of service?!?! #badlock wtf where's my RCE?— Chris Graham (@cgrahamseven) April 12, 2016
Tonimir Kisasondi, assistant professor at Faculty of Organization and Informatics in Varazdin, Croatia, tweeted:
Seriously #badlock? I would at least expect unauthenticated RCE for that amount of hype...— Tonimir Kisasondi (@kisasondi) April 13, 2016
Experts' advice: Keep patching, but don't buy the hype
While Badlock didn't turn out to be as critical as some expected, it is still an important vulnerability, and could be exploited if unpatched. However, experts mostly agreed that Badlock did not call for extreme measures.
"The majority of IT professionals suggest keeping SMB behind the firewall and have been doing so for years. But, unfortunately, there are firms that do not adhere to this, although they are few and far between," said Michael Gray, vice president of technology at Thrive Networks in Tewksbury, Mass. Badlock, he said, could still be used as a "a downstream vector," to allow an attacker to gain access to a device connected to a public Wi-Fi network, and then wait for the user to connect to a corporate environment.
"Once it detects a file server, it could inject payload into the server via Badlock, or simply use it to download corporate data," Gray said. "It's likely that Badlock could circumvent antivirus until all vendors have caught up, assuming, of course, that a company's antivirus is up to date and functional."
Even so, "it would be extremely difficult for cybercriminals to exploit the Badlock vulnerability," said Michael Gorelik, vice president of research and development at Israel-based Morphisec Ltd. "He must be in a place in which he can sniff and intercept the traffic, and would need administrative credentials to access resources required for network interception from inside the network. So, if this was to be used by anyone soon, it could only be by those that already reside in a very specific network and have remote-access controls."
Badlock: Ridiculous, or responsible, disclosure?
"The publicity generated around this seemed abjectly pointless," said John Bambenek, manager of threat systems for Fidelis Cybersecurity in Waltham, Mass. "Organizations shouldn't send SMB traffic across untrusted networks in the first place."
"After the burst of the bug bubble, I'm left wondering who at SerNet decided the Badlock marketing campaign was a good idea, and why," Gorelik said. "It certainly was not, as claimed, to raise awareness for a critical bug that needed immediate patching."
"In this particular case, these guys could have revealed that the bugs were MitM and DoS," Thames said. "If they would have done that, then many would have known that the bugs were not earth-shattering. That information could have been both beneficial and responsible. Instead, it is likely that many organizations planned for the worse case, and allocated extra resources and made special plans for today's patch release."
"Indeed, these Badlock vulnerability patches need to be applied as soon as possible," Thames pointed out. "But there are several other vulnerabilities being addressed today by Microsoft's Patch Tuesday that should take much more priority over Badlock."
"The 'big deal' behind Badlock is that the vulnerabilities will impact a large number of hosts, because multiple types of systems are affected," Thames said, noting that Windows systems, Linux systems and many Unix/Linux variants contain software susceptible to the Badlock vulnerabilities.
"Unfortunately, Badlock is only an extreme example of a new trend. More and more companies use their findings for marketing reasons," Gorelik said. "This is not a problem, if done responsibly, but SerNet exploited a real crisis that IT teams are facing. They simply cannot keep up with the sheer amount of patches -- the gap is just getting bigger and bigger. Making the right choice about which patches to prioritize can be critical; being misled by those crying wolf can do real harm."
"Eventually this 'crying wolf' problem is going to bite us and hard," Bambenek said. "IT pros, as always, need to critically examine all sources of info to decide on the best course of action, and, unfortunately, that means wading through the hype PR-generated buzz."
"Quite simply put, BadLock turned out to be a waste of everyone's time," said Tyler Reguly, manager of Tripwire's security research team. "It's definitely in the running for the most overhyped vulnerability of the year, and it's really not worth the attention it tried to attract."
Find out more about how a recent Java vulnerability report crossed the line for responsible disclosure.