SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
13 Apr 2016

Badlock bug was shamelessly hyped, but the threat is real

Go ahead and poo poo the overdone marketing of the Badlock vulnerability. With its fire-engine-red logo and a dedicated website that went live more than a month before the release of any patches, claims the risk was shamelessly hyped are justified.

That said, Badlock represents a real and critical threat to virtually any organization that maintains a Microsoft network. Administrators who don't patch right away fail to do so at their own peril.

In a nutshell, Badlock refers to a defect in a security component contained in just about every version of the Windows and Linux operating systems. Known as the Distributed Computing Environment/Remote Procedure Call (DCE/RPC), it's used by administrators around the world to access the most valuable asset on any Windows network—the Active Directory, which acts as a network's digital security guard, allowing, for instance, an organization's CFO to log in to an accounting server, while locking out the janitor or the groundskeeper. Because Active Directories enforce security policies and contain password data and other crucial credentials, they are almost always the first asset hackers access once they gain a limited foothold into a targeted network.

By design, DCE/RPC is able to use a cryptographic system to protect connections between an admin's remote computer and the server running the Active Directory. In many ways, the system is analogous to the transport layer security protocol that protects connections between end users and the websites they visit. DCE/RPC ensures that parties are who they claim to be. It can also encrypt the data traveling between the parties. That way, anyone who happens to have access to the same corporate network—say, a rogue janitor or groundskeeper employed by the same organization—can't monitor or modify the crucial information inside the Active Directory.

Accessing the Active Directory

If DCE/RPC is a TLS of sorts for administrators, Badlock is similar to the Goto fail bug that made it trivial for attackers to bypass the TLS encryption protecting millions of Mac users' e-mail and Web communications. To be sure, Goto Fail left orders of magnitude more users vulnerable, but it's also the case that those exposed by Badlock have more to lose. And in both cases, there's no indication the encryption has failed. Like Goto Fail, Badlock can be silently exploited by anyone in a position to monitor the traffic passing over the network. And that's hardly a comforting thought for any corporate or government organization that maintains an Active Directory on its network.

"An Active Directory infrastructure with a Samba server as a domain member is vulnerable to this flaw," an advisory published Tuesday by Linux distributor Red Hat warned. "A man-in-the-middle attacker could intercept DCE/RPC traffic between the domain member and the domain controller to impersonate the client and get the same privileges as the authenticated user account. The attacker could view or modify secrets within an AD database, including user password hashes, or shutdown critical services."

The Red Hat advisory goes on to say: "Any Samba server configured as a file or print server is also vulnerable to this flaw. The attacker could use the flaw to modify user permissions on files or directories." As noted earlier, Red Hat users are by no means the only ones affected by Badlock. Because the vulnerability resides in the DCE/RPC protocol itself, it affects just about any platform that implements the protocol. Red Hat has classified the vulnerability as critical, its highest threat category. Microsoft, meanwhile, rates the flaw as important, or one notch below critical.

The software maker, which has provided a patch and details here and here, most likely chose the lower rating because the flaw doesn't pose a threat to the machines of everyday users, or isn't easy to exploit in real-world situations. That's not to say everyday users aren't affected. If Badlock is exploited to hack into their bank, e-mail server, or tax return service, ordinary people may very well suffer very real consequences even if their PCs remain secure.

The month-long marketing of Badlock is unfortunate because it has turned into a side show that distracts people from what's at stake. Instead of the vulnerability being the news of the day, the exaggerated warning became the only thing people are talking about. People who read about Badlock and saw its logo expected a vulnerability with the scale and severity of the Heartbleed flaw that opened millions of websites to attacks that stole passwords, encryption keys, and other sensitive data. The threat posed by Badlock is a lot more nuanced and muted. But it could prove a godsend for rogue insiders or hackers looking to elevate privileges on a targeted network. Sure, it's no Heartbleed or Goto Fail, but people who say it's not serious may be sadly mistaken.

Tags:
Badlock information leaks
Source:
Ars Technica
1906
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015