[This was originally posted on the RBS blog.]
With a week to go before the hyped Badlock vulnerability gets disclosed (with patches finalyl!), it has been mostly quiet as far as any further detail or insight. In the fourteen days since it was first announced, MITRE has still not seen fit to issue a CVE identifier for the vulnerability despite the widespread attention after it hit the news. But, that isn’t too surprising given the lack of detail about the vulnerability and that they have also taken months to respond to researchers requesting a CVE ID, sometimes only to say “no” to the assignment over 100 days later.
Since the initial flurry of media attention, system administrators and security staff have had nothing more to go on and therefore nothing actionable to be done to protect their organizations. Just the vague threat of a remote attack that can be leveraged for administrative access.
Meanwhile, some security researchers continue to poke around the Samba code looking for clues.
For computer criminals, notoriously ahead of the defensive crowd, it is hard to say what has occurred in this quiet period of time. While there has been no detection of a new attack against Samba installations, which would suggest that bad guys have figured it out, that possibility still can’t be ruled out. Since a majority of security detection is based on signatures of known attacks, we cannot assume that organizations would have yet detected such an exploit. This is especially true if attackers were using it very strategically to compromise specific targets, rather than using it against large portions of the Internet.
Meanwhile, since the initial Badlock disclosure, 42 vulnerabilities have been disclosed with a CVSSv2 score of 10.0. Not one of them have been named, have their own web site, or generated a flood of news articles. Worse, 10 were remote and had a public exploit available, re-opening the debate as to if naming a vulnerability really helps organization focus on the issues that need attention. Those organizations struggling to keep up, debating if the named vulnerability should warrant more priority? Remember that only one of those exploitable remote vulnerabilities had a CVE identifier, and that one was RESERVED as usual. Fortunately for your organization, it was only in an Apache product.
Until something concrete happens, or next Tuesday comes, we’ll all continue to wait and watch and at RBS we will continue to track all of the other vulnerability activity.
Leave a Reply