Yesterday, what seems like the entire InfoSec industry was underwhelmed when Badlock was finally disclosed and, apparently, didn’t live up to its billing.
While we agree that the month-long buildup to the disclosure, and flashy logo were unnecessary, we’d like to explain why we think this vulnerability will end up providing malicious actors with a useful weapon in the future.
The industry’s collective disappointment hinged on the fact that in order to exploit the vulnerability, a weaponized man-in-the-middle attack must be crafted and then deployed against a series of networked hosts with unpatched SMB implementations. You’re pretty much only likely to find that sort of scenario in an internal company network. However, a proper man-in-the-middle attack against this vulnerability will allow an attacker to elevate privileges and gain full access to an active directory database, which in turn will provide them with a full set of login credentials and password hashes. As the official Badlock site states:
“There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user.”
If this vulnerability is used against a Samba AD server, the attacker may be able to view or modify secrets within the AD database, including user password hashes. They may also be able to shut down critical services running on that server. If used against a standard Samba server, an attacker may be able to modify user permissions on files or directories.
This vulnerability affects both Windows and Linux. While patches have been already been made available to fix this issue, it’s up to administrators to ensure those patches are applied company-wide. Microsoft’s own “Patch Tuesday” process will fix this problem, and we’re expecting most Windows boxes to be quickly brought up-to-date. Linux boxes, on the other hand, are a bit of an unknown.
Looking at the bigger picture, the Badlock vulnerability potentially supplies advanced threat actors with a useful tool for lateral movement and credential harvesting, once they’ve gained access to a company’s internal network. For organized and well-resourced groups, such as nation states, creating and deploying a suitable MitM attack to exploit Badlock wouldn’t be all that difficult.
While proof-of-concepts against this vulnerability are being kept under wraps currently, we’re sure that there are groups out there working on creating exploits. Although we’re unlikely to see this sort of tactic being used right now (due to the buzz surrounding Badlock), we wouldn’t be surprised to see it utilized down the road.