Monthly Archives: April 2016

MAJOR Zero Day 0day Exploit in SMB Samba 445 BADLOCK BUG Vulnerability

Critical vulnerability allowing remote exploitation of virtually ALL versions of Samba’s Server Message Block (SMB) protocol which is a version of Common Internet File System (CIFS) which operates by default over port 445 TCP as an application-layer network protocol. SMB is typically used to provide shared access to files, printers, and serial ports and miscellaneous communications between nodes.

This vulnerability is being dubbed the “Badlock Bug” following in the footprints of the Heartbleed team and devoted a site for patching and testing the vulnerability once a patch is released. The website is badlock.org and a patch is announced to be released August 12th. Samba and Microsoft are currently working on a patch for this vulnerability but it will be another 10 days from the time of this post until it is available.

There are reports of this vulnerability already being exploited in the wild, and multiple hacker groups attempting to sell a remote 0day exploit for this vulnerability on the so called “Dark Web” with asking prices up to $100,000. However, we should note that these claims and the Proof of Concept (PoC) for this vulnerability have not been verified by any reputable security company. If an exploit is circulating in the wild before a patch is available there are thousands of publicly accessible SMB servers open on the internet that may fall victim to this vulnerability.

Mitigation:

DO NOT RUN SMB in your DMZ and do not allow port forwarding to internal servers open to the public. If for some reason you require remote access to your SMB servers ensure that you have proper ACLs in place to DENY ALL and PERMIT ONLY BY EXCEPTION. This will prevent 99% of hackers from being able to exploit your network through this vulnerability, mass scans of the internet and a race to exploit all available SMB servers will be the MO of most initial attackers. Hackers able to breach a public facing web server, mail server, dns server, etc with limited access may be able to use this exploit to pivot further into your network so restrict access from DMZ servers reaching inside your intranet.

Do not run SMB as root, admin or any privileged user which will prevent anyone exploiting this vulnerability from gaining anything but user access.

Insider threat:

Restrict end users from plugging in USB sticks and portable media devices into enterprise hosts as this may be a possible tactic, technique & procedure (TTP) for the spread of a worm based propagation of this vulnerability. Restrict internal access to SMB servers to only authorized and isolated systems as needed. For absolute protection from an exploit would mean disabling SMB for another ten days until you have had the chance to patch this critical bug if your organization can survive until patches are applied.

PREPARE TO PATCH ON APRIL 12th! If a proof of concept hasn’t been created yet, shortly after release of the patch and disclosure of the vulnerability is revealed attackers will be able to create an exploit almost immediately as there is much anticipation already made over this huge bug found.

Share Button