At Capstan Services we partner with both customers and non-customers to share news about potential threats to your computing environment. We feel it is imperative to notify you about the release of patches for the BadLock vulnerability. Details about this vulnerability were released on April 12, 2016 along with patches for both Microsoft Windows and the Samba project.
What is Badlock?
Badlock is a vulnerability in the Server Message Block or SMB protocol. This is the protocol which is used by Microsoft Windows networks and certain Unix/Linux machines to share files over a network connection. In simple terms, this the how you get to your network drives and "Drive Letters" that are not on your machine.
What is the Risk?
Capstan Services is calling the risk level High although not critical. This vulnerability was hyped quite a bit and we believe that the hype was not quite warranted. The risks of badlock are primarily going to be exposed only to the internal network which dramatically lowers the risk in most environments. It should be noted that this is a good time to verify that your organization does not have any open SMB ports facing the internet. This is a terrible practice to start with and becomes more dangerous with badlock.
This vulnerability opens un-patched users to the following Risks:
- Man In The Middle Attacks
A Man in the Middle attack allows an attacker to gain access to resources by standing between a user and a server. In this case an exploit would be able to gain access to a file server and change user accounts, passwords, users rights, delete files and shut off services. For Microsoft Active Directory environments the attacker might also be able to gain access to Active Directory features.
- Denial of Service Attacks
A denial of service attack will allow the attacker to prevent users from accessing a server or services
How do I Remediate?
The most important first step is to verify that you do not have any SMB presence on the internet. SMB is not an internet friendly protocol and should NEVER be available outside of your local network. This can be verified by your Information Technology staff by checking the following:
- Verify that there are not any external firewall rules which allow traffic on ports 445 TCP, 137 TCP/UDP, 138 UDP or 139 TCP
- Verify that there are no external firewall NAT rules to any of the above ports
- Check to make sure that none of the above ports are open on any outside IP address
For Microsoft Windows based machines you will need to install the latest patches for each machine. For details on the latest security bulletins please see:
https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx
For Linux & Unix Machines running Samba you will need to install that latest patches for your version of Samba AND you must be running one of the following Samba versions:
- 4.2.10
- 4.2.11
- 4.3.7
- 4.3.8
- 4.4.1
- 4.4.2
You should check with the vendor of your Samba version to identify and install the appropriate patch for your Samba implementation.
What is Capstan Services doing?
If you are a Capstan Services customer we will be scheduling a time to deploy fixes in your environment. We will be deploying patches to servers based on outage windows and you should coordinate this with your contact at Capstan Services.
If you are a Capstan Services Managed Desktop or Worry Free Desktop customer we will deploy patches to your desktop machines on your current deployment schedule.
If you have any questions or would like to have us assist you with remediation please call us at (469) 312-8100.
More Information
For more information on the Badlock bug and detailed information on remediation please go to badlock.org.