Thursday, March 31, 2016

Being Ready for Zero-Days, a Badlock Example

Being ready for the eventuality of zero-days is something all organizations should integrate into their security plans. This means knowing your environment and knowing how to respond quickly to critical threats. Let's take the latest 'Badlock' announcement as an example.

Last week SerNet issued a notification of a potentially critical bug that is present in Windows and Samba. They have named the vulnerability the Badlock bug. Their notification stated that patches for this issue will be released on April 12th. If a critical issue does exist, the large lead time before patch availability does give malicious actors some time to identify the bug and exploit it before patches are available. We currently have no information as to the actual severity of this issue, however, you should take this time to perform the following actions:

  • Identify all existing CIFS/Samba servers on your network.
  • Review firewall rules and processes for issuing rule changes.
  • Ensure that your monitoring tools are updated and working as expected.
  • Review your patching procedures and plan for the possibility of emergency patching on April 12th.

Identify all existing CIFS/Samba servers on your network.

It's important to be aware of all existing services on your network in order to properly address new vulnerabilities that threaten your infrastructure. To identify CIFS/Samba servers on your network you can use a number of different methods. Even if admins self-identify services their systems provide, they may not be cognizant that this service was enabled automatically.

  • Port scanning your address space using tools like nmap or masscan
  • Check network flows for connections to local hosts on port 445 using tools like bro or netflow collectors like nfsen or argus.

Review firewall rules and processes for issuing rule changes.

If you are utilizing firewalls rules either at your network border or directly on the host, you should make sure they are configured correctly and that you know the process to enable rules both technically and procedurally. Limiting network access can also be accomplished through utilizing private address space that is not accessible outside of your local network. If you have services that are exposed to the public internet that should not be publicly accessible, consider moving these services to such internal private networks.

Ensure that your monitoring tools are updated and working as expected.

Proper monitoring of your environment will help you identify services on your network and anomalous activity like attacks against your network or individual systems. Tools like Bro can help identify services on your network that you may not have been aware of. Bro and other tools like Snort/Suricata can help identify active threats against your network and can even help actively respond to such attacks. As potential threats like Badlock become actual, ensure that you know how to update your monitoring tools to identify these specific attacks.

Review your patching procedures and plan for the possibility of emergency patching on April 12th.

SerNet is suggesting that immediate patching is needed to address this vulnerability when it is released, thus the need for a pre-release announcement. It's possible this is a non-event, however, in any event you should be prepared should the need arise to mitigate this issue. This means blocking and/or monitoring network traffic and on-host activity for vulnerable hosts and patching affected systems. If you manage these systems, you should consider planning for emergency patching on April 12th and what that may entail including downtime of services, affected users, software compatibility and reconfiguration of monitoring policies.

Regardless of Badlock or the next named vulnerability down the road, these steps should always be considered in order to proactively address potential threats against your infrastructure. You need to know your environment, understand your internal procedures for mitigation methods, keep your monitoring up-to-date, and have a plan for system patching.

1 comment:

  1. Today the details of the SAMBA vulnerability coined 'Badlock' were released. The vulnerability was rather underwhelming in lieu of the media hype surrounding its initial announcement. The specifics of the vulnerability are available at There are still vulnerabilities to be addressed but they should be addressable within your regular patch cycle. The vulnerabilities surrounding Badlock can cause a Denial of Service. The other issue is actions that can be performed via an MITM attack that can lead to being able to perform SAMBA network calls at the level of the intercepted user. Limiting your exposure to MITM attacks should significantly minimize your risk to this vulnerability. The best way to do this is to limit access to your SAMBA/CIFS services to and from trusted nets, such as limiting access to only your local network and only allowing external access through VPN connections.

    The announcement did also mention that Windows systems may be affected. The Windows vulnerability is addressed through MS16-047, CVE-2016-0128, which has been rated by Microsoft as 'Important'. It should also be noted that Microsoft did release other unrelated 'Critical' rated vulnerabilities today as well and should be reviewed by your admins.

    * Badlock Site:
    * SAMBA Patches:
    * RHEL/CENTOS details:
    * Microsoft:
    * Ubuntu:
    * Debian:
    * SUSE: