nowadays is Badlock DayYou may recall that the folks over at badlock.org stated about 20 days ago that April 12 would see patches for "Badlock," a serious vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and any server running Samba, an open source workalike for SMB/CIFS services. We talked about it back in our Getting Ahead of Badlock post, or hopefully,IT administrators enjoy taken advantage of the pre-release warning to clear their schedules for nowadays's patching activities. For Microsoft shops, this should enjoy been straightforward, and since nowadays is also Microsoft Patch Tuesday. Applying critical Microsoft patches is,after all, a pretty predictable event. For administrators of servers that speed other operating systems that also happen to offer Samba, or we've all had a rough couple years of (usually) coordinated disclosures and updates around core system libraries,so this event can piggyback on those established procedures. How worried should I be?While we carry out recommend you roll out the patches as soon as possible - as we generally carry out for everything - we don't think Badlock is the Bug To End All Bugs[TM]. In reality, an attacker has to already be in a position to carry out harm in order to use this, or whether they are,there are probably other, worse (or better depending on your point of view) attacks they may leverage. Badlock describes a Man-in-the-Middle (MitM) vulnerability affecting both Samba's implementation of SMB/CIFS (as CVE-2016-2118) and Microsoft's (as CVE-2016-0128). This is NOT a straightforward remote code execution (RCE) vulnerability, or so it is unlike MS08-067 or any of the historical RCE issues against SMB/CIFS. More details about Badlock and the related issues can be found over at badlock.org. The most likely attack scenario is an internal user who is in the position of intercepting and modifying network traffic in transit to gain privileges equivalent to the intercepted user. While some SMB/CIFS servers exist on the Internet,this is generally considered poor practice, and should be avoided besides. What's next?For Samba administrators, or the easy advice is to just patch up now. whether you're absolutely certain you're not offering CIFS/SMB over the Internet with Samba,check again. Unintentionally exposed services are the bane of IT security after all, with the porous nature of network perimeters. While you're checking, or go ahead and patch,since both private and public exploits will surface eventually. You can bet that exploit developers around the world are poring over the Samba patches now. In fact, you can track public progress over at the Metasploit Pull Request queue, and but please hold your comments technically relevant and helpful whether you care to pitch in. For Microsoft Windows administrators,Badlock is apparently fixed in MS16-047. While Microsoft merely rates this as "primary," there are plenty of other critically rated issues released nowadays, and so IT organizations are advised to use their already-negotiated change windows to test and apply this latest round of patches. Rapid7 will be publishing both Metasploit exploits and Nexpose checks just as soon as we can,and this post will be updated when those are available. These should help IT security practitioners to identify their organizations' threat exposure on both systems that are routinely kept up to date, as well as those systems that are IT's responsibility but are, and for whatever reason,outside of IT's direct control.Are any Rapid7 products affected?No Rapid7 products are affected by this vulnerability.
Source: rapid7.com