Last week SerNet issued a notification of a potentially critical bug that is present in Windows and Samba. They have named the vulnerability the Badlock bug. Their notification stated that patches for this issue will be released on April 12th. If a critical issue does exist, the large lead time before patch availability does give malicious actors some time to identify the bug and exploit it before patches are available. We currently have no information as to the actual severity of this issue, however, you should take this time to perform the following actions:
- Identify all existing CIFS/Samba servers on your network.
- Review firewall rules and processes for issuing rule changes.
- Ensure that your monitoring tools are updated and working as expected.
- Review your patching procedures and plan for the possibility of emergency patching on April 12th.
Identify all existing CIFS/Samba servers on your network.It's important to be aware of all existing services on your network in order to properly address new vulnerabilities that threaten your infrastructure. To identify CIFS/Samba servers on your network you can use a number of different methods. Even if admins self-identify services their systems provide, they may not be cognizant that this service was enabled automatically.
- Port scanning your address space using tools like nmap or masscan
- Check network flows for connections to local hosts on port 445 using tools like bro or netflow collectors like nfsen or argus.
Review firewall rules and processes for issuing rule changes.If you are utilizing firewalls rules either at your network border or directly on the host, you should make sure they are configured correctly and that you know the process to enable rules both technically and procedurally. Limiting network access can also be accomplished through utilizing private address space that is not accessible outside of your local network. If you have services that are exposed to the public internet that should not be publicly accessible, consider moving these services to such internal private networks.
Ensure that your monitoring tools are updated and working as expected.Proper monitoring of your environment will help you identify services on your network and anomalous activity like attacks against your network or individual systems. Tools like Bro can help identify services on your network that you may not have been aware of. Bro and other tools like Snort/Suricata can help identify active threats against your network and can even help actively respond to such attacks. As potential threats like Badlock become actual, ensure that you know how to update your monitoring tools to identify these specific attacks.
Review your patching procedures and plan for the possibility of emergency patching on April 12th.SerNet is suggesting that immediate patching is needed to address this vulnerability when it is released, thus the need for a pre-release announcement. It's possible this is a non-event, however, in any event you should be prepared should the need arise to mitigate this issue. This means blocking and/or monitoring network traffic and on-host activity for vulnerable hosts and patching affected systems. If you manage these systems, you should consider planning for emergency patching on April 12th and what that may entail including downtime of services, affected users, software compatibility and reconfiguration of monitoring policies.
Regardless of Badlock or the next named vulnerability down the road, these steps should always be considered in order to proactively address potential threats against your infrastructure. You need to know your environment, understand your internal procedures for mitigation methods, keep your monitoring up-to-date, and have a plan for system patching.