Badlock or Sadlock?
No matter which name you prefer, Badlock or Sadlock, for the recently disclosed CVE-2016-2118 (SAMR and LSA man-in-the-middle attacks possible) and for Windows by CVE-2016-0128/MS16-047 (Windows SAM and LSAD Downgrade Vulnerability) Tenable has you covered. Nessus®, SecurityCenter™, SecurityCenter CV™, or Passive Vulnerability Scanner™, Tenable can determine if you are at risk.
According to Badlock.org, the security vulnerabilities can be mostly categorized as man-in-the-middle or denial-of-service (DoS) attacks. These would permit execution of arbitrary Samba network calls using the context of the intercepted user, such as the ability to view or modify secrets within an AD database, including user password hashes, or shut down critical services or modify user permissions on files or directories. A DoS attack against the Samba service is also possible by an attacker with remote network connectivity.
Affected versions of Samba are:
- 3.6.x
- 4.0.x
- 4.1.x
- 4.2.0-4.2.9
- 4.3.0-4.3.6
- 4.4.0
Regardless of where you stand on the “Sadlock” discussion, if the hype warranted the naming of this vulnerability, Tenable can provide visibility into where to prioritize your remediation efforts for Badlock.
The Tenable response
Nessus
Impacted operating system vendors are making updates available. Tenable has issued a series of local and remote Nessus® plugins to detect the presence of affected versions of Samba or Windows:
|
MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) |
|
|
Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock) |
|
|
Samba Badlock Vulnerability |
|
|
MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) (uncredentialed check) |
|
|
CentOS 6 : samba (CESA-2016:0611) |
|
|
CentOS 6 / 7 : ipa / libldb / libtalloc / libtdb / libtevent / openchange / samba / samba4 (CESA-2016:0612) |
|
|
CentOS 5 : samba3x (CESA-2016:0613) |
|
|
CentOS 5 : samba (CESA-2016:0621) |
|
|
FreeBSD : samba – multiple vulnerabilities (a636fc26-00d9-11e6-b704-000c292e4fd8) |
|
|
Oracle Linux 6 : samba (ELSA-2016-0611) |
|
|
Oracle Linux 6 / 7 : samba / samba4 (ELSA-2016-0612) |
|
|
Oracle Linux 5 : samba3x (ELSA-2016-0613) |
|
|
Oracle Linux 5 : samba (ELSA-2016-0621) |
|
|
RHEL 6 : samba (RHSA-2016:0611) |
|
|
RHEL 6 / 7 : samba and samba4 (RHSA-2016:0612) |
|
|
RHEL 5 : samba3x (RHSA-2016:0613) |
|
|
RHEL 7 : samba (RHSA-2016:0618) |
|
|
RHEL 6 : samba (RHSA-2016:0619) |
|
|
RHEL 6 : samba4 (RHSA-2016:0620) |
|
|
RHEL 5 : samba (RHSA-2016:0621) |
|
|
RHEL 5 : samba (RHSA-2016:0623) |
|
|
RHEL 5 : samba3x (RHSA-2016:0624) |
|
|
Scientific Linux Security Update : samba3x on SL5.x i386/x86_64 |
|
|
Scientific Linux Security Update : samba and samba4 on SL6.x, SL7.x i386/x86_64 |
|
|
Scientific Linux Security Update : samba on SL5.x i386/x86_64 |
|
|
Scientific Linux Security Update : samba on SL6.x i386/x86_64 |
SecurityCenter
We have released a customized SecurityCenter™ dashboard to monitor, track and remediate critical assets affected by CVE-2016-2118 and CVE-2016-0128. This dashboard is automatically available via the feed to provide insight on the impact to your environment and the progress of your efforts to remediate this vulnerability.
SecurityCenter Continuous View detection capabilities
Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.
The following LCE and PVS plugins address Badlock:
|
Samba < 4.2.10/11, < 4.3.7/8, < 4.4.1/2 Badlock Vulnerability |
|
|
Samba 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock) |
|
|
Samba 4.3.x < 4.3.7 Multiple Vulnerabilities (Badlock) |
|
|
Samba 4.2.x < 4.2.10 Multiple Vulnerabilities (Badlock) |
Related Articles
Consolidate and Unify to Accelerate Your Security Efforts
October 13, 2022CISOs want to shrink their cybersecurity tool stack and see improved interoperability among products so that they can draw actionable insights from uniform and normalized data. Here we explain why this is key for understanding your environment’s security posture and empowering you to make better decisions about mitigating risk.
Narrow Focus on CVEs Leaves Organizations Vulnerable to Attacks
October 21, 2021CWEs and other vulnerabilities necessitate a single dashboard for complete cyber risk assessment A growing number of cybersecurity professionals have evolved their legacy vulnerability manageme...
Outstanding Patch Tracking Dashboard
February 7, 2017Editor's note: Our dashboards have been updated in the time since this blog was originally published. Please see this page for the latest guidance on Outstanding Remediation Tracking. The IT Operat...
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Dashboards
- LCE
- Nessus
- Nessus Network Monitor
- Plugins
- SecurityCenter