What is the 'Badlock Bug'?

Question

A user on the Ask Ubuntu General Room posted a link to Badlock. After some googling around, all I can find is that it is a mysterious security bug, that uses the same website template as Heartbleed.

I manage Linux Servers, a mysterious security bug does not sit well with me. What exactly is it, and how can I protect my servers from it?

This is a bug regarding samba, Linux servers use samba to 'talk' to Windows shares. Thus, this 'bug' affects Linux systems. As is stated on some website I am reading right now — blade19899, Apr 12 '16 at 13:49
Well, read enough to post my own answer till Microsoft/Samba releases more information — blade19899, Apr 12 '16 at 13:57
What i would like to know, regarding this is, will an update hit today or not and well why 15.10 is still running on samba 4.1. but ok 15.10 is near the EOL. — Videonauth, Apr 12 '16 at 14:05
@Videonauth posted an answer, editing to post relevant information I find online — blade19899, Apr 12 '16 at 14:06

blade19899 · Accepted Answer · 2016-04-12T17:45:02.303

12

What is BadLock

Badlock is a bug that affects Windows and Samba.

What Can hackers do with this security bug?

Two things:

Man-in-the-middle (MITM) attacks:
Denial-of-Service (DoS) attacks:

The Badlock CVE is: CVE-2016-2118. There are additional CVEs related to Badlock. Those are:

CVE-2015-5370 (Multiple errors in DCE-RPC code)
CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
CVE-2016-2112 (LDAP client and server don't enforce integrity)
CVE-2016-2113 (Missing TLS certificate validation)
CVE-2016-2114 ("server signing = mandatory" not enforced)
CVE-2016-2115 (SMB IPC traffic is not integrity protected)

Which versions of samba are affected

3.6.x,
4.0.x,
4.1.x,
4.2.0-4.2.9,
4.3.0-4.3.6,
4.4.0

Fix:

Download the patches for your version of samba, here:

https://www.samba.org/samba/history/security.html

How bad is Badlock?

The severity of Badlock according to the Common Vulnerability Scoring System (CVSS):

CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Base: 7.1 (High); Temporal: 6.4 (Medium)

Notes:

With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED (see Samba Release Planning)

Further Reading:

Official badlock website:

Badlock Bug

Links:

GitHub: samba-team/samba:
- Official GitHub mirror of https://git.samba.org/samba.git

edited Apr 12 '16 at 17:45

answered Apr 12 '16 at 14:06

blade19899

27,004

Wouldnt it be better to link the lock.c file on the official samba github, so no one actually misinterprets it and pulls samba from an more unknown source. – Videonauth Apr 12 '16 at 14:20
@Videonauth pass me the link and I'll include it in there! – blade19899 Apr 12 '16 at 14:29
lock.c and the main site of this official mirror is here – Videonauth Apr 12 '16 at 14:36
1

Clearly the fix is to upgrade to the newest version of samba, after 17:00utc – cybernard Apr 12 '16 at 16:49
A god addition would be a how to upgrade and patch samba to latest version, because the official repos actually contain at least for 15.10 wily only version 4.1.17 of samba which is not even supportet for this bugfix. I mean for those who are not able to download and compile it themselfes. – Videonauth Apr 12 '16 at 20:25
1

The fixes are in the repos this morning (4/18). – Organic Marble Apr 18 '16 at 12:56

score 3 · Answer 2 · answered Apr 13 '16 at 02:01

See here for the Ubuntu security update packages:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1569497

Took a little while to get published, but a hell of a lot easier than patching 3.6.3 up to 3.6.25 and applying the official patches on top of that.

NB: I tried to build 3.6.25 from source on precise and failed. YMMV.