It has only been twenty-one days after the last named vulnerability (DROWN), and now we have the next one! Early on March 22nd, the security industry started hearing rumors of ‘Badlock’ and then the site announcing it began making the rounds. The domain was registered by Johannes Loxen out of Germany on March 11, 2016, to announce “a crucial security bug in Windows and Samba” that will be disclosed on April 12, 2016. Given that April 12 falls on the next Microsoft Patch Tuesday, we can probably assume that will begin the standard race between patching computers and bad guys writing exploits to take advantage of administrators that are slow to update. The web site also warns they are “pretty sure that there will be exploits soon after we publish all relevant information.” To us, that sounds like the issue will be remote code execution, and the update to their web site on the 12th will make it trivial for any exploit writer to come up with reliable code to do so.
It should be no surprise to anyone that Microsoft has a long history of vulnerabilities (over 3,200 across 489 products lifetime, with a 7.38 CVSSv2 average score according to VulnDB). Samba on the other hand, is well-known in IT circles but may be unfamiliar to many consumers. The software acts as file and print services for any client using the SMB/CIFS protocol, which includes Windows and Linux. Historically, there are only 114 published vulnerabilities in Samba, despite enjoying considerable deployment in corporate environments. Samba’s web site has updated their news also warning users that “a crucial security bug in Windows and Samba will be disclosed“, making this vulnerability interesting to many. With both vendors apparently offering patches, it suggests the vulnerability is either within the integration between the two vendors, the separate implementations by each vendor, or in the SMB/CIFS protocol itself (we’re betting on the latter).
As with most named vulnerabilities (that have a logo, website, and apparent marketing campaign), a certain level of drama tends to come with them, despite being the tiniest fraction of vulnerabilities disclosed every year. Badlock is no exception (even without an apparent acronym), and this is just the first day we are hearing of it, with 20 days before the discovering researchers disclose it.
We emphasize the word ‘discovering’ because named vulnerabilities announced pre-disclosure with some level of media fanfare taunt the hacker mindset, both good and bad. There is heavy debate as to if this is a good or bad thing for defenders. Just knowing the vulnerability affects Windows and Samba starts to narrow down where the issue is. We know it is almost assuredly remote, and likely has to do with the implementation of the SMB/CIFS protocol. With thousands of talented exploit developers out there, the odds of someone finding the same issue, or one equally serious, is considerable. Noted security researcher David Litchfield puts the odds of details leaking or being independently discovered at 15:1.
Litchfield goes on to speculate what the vulnerability may be based on the name and a quick evaluation. We should note that the string ‘lock’ appears in over 40 file names within the current Samba distribution! However, we do not think that would hinder an experienced researcher from potentially finding the vulnerability, but it may slow them down an extra few hours. Again, compared to the 20 days before disclosure, that is barely a speed bump in the big picture. With 20 days to go, and the promise of a remote code execution vulnerability in Windows and Samba, you can be assured that criminal hackers are looking for it too. This is the routine part of pre-disclosures, not the drama!
For Badlock, the first day of poking around the Samba source code came up with a very interesting tidbit. As Wojciech Pawlikowski points out, Badlock was discovered by Stefan Metzmacher, and his name appears somewhere else interesting:
While this is merely speculation at this point, it cannot be ignored. The name Badlock is likely based on a file or resource locking mechanism within the SMB implementation, and the code that controls it. But that one file and one copyright from 10 years ago is not necessarily damning. Taking a quick look at the extensive source code of Samba, Stefan Metzmacher’s name appears in 463 files, with the copyright ranging from 2002 until 2014. It is clear that he has been seriously involved in Samba development for over a decade, and likely knows the software better than almost anyone else. If there is any question of that, look to the German-based company SerNet who just today posted an article about the upcoming Badlock vulnerability. They call Metzmacher “a renowned member of the international Samba core developer team” which can be verified on the Samba Team page where he and four others from SerNet are listed (out of the six total at SerNet, including Loxen who registered the Badlock domain). SerNet advertises itself as having two USPs (unique selling points): SAMBA and verinice. Their Samba service page goes on to say that by choosing them, you “get the best Samba support out there. We offer support, consulting, training and coding around Samba. Worldwide. 24/7.” It is certainly eye opening when someone develops a piece of software for over a decade, then finds a critical vulnerability in it a couple years after their name starts disappearing from soure code copyright, and will most likely capitalize on it directly. As Gabor Szathmari quips:
Chris Nickerson goes on to summarize, “Wait wait… So #Badlock was found by the dude who wrote the code and camped on his own vuln till he could get paid? #Gangsta“.
At this point, it certainly seems that way and it appears we will need to wait until April 12, 2016 for more details… assuming details aren’t leaked, or the vulnerability isn’t discovered and disclosed in the meantime.
Leave a Reply