An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. Microsoft and SAMBA are vulnerable to these attacks. The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The attacker can access domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.
There are two different CVE identifiers associated with this vulnerability:
In addition to this, the vulnerability has been known by 'badlock'.
Microsoft has two protocols that are vulnerable to this attack:
These protocols manintain security account manager database. They are supported by both Windows and Samba and they support all domain profiles.
In addition to these, SAMBA's following protocols are susceptible to this vulnerability:
Attack mechanism:
There are 6 authentication level (auth levels), as described in dcerpc protocol. '1' is the lowest and '6' being the highest:
Example of an attack scenario:
The attacker lowers the auth level to '2'. Level '2', as shown earlier, provides minimum authetication. Note that it does not protect the messages tranferred between the client and the server. This is an ideal scenario for an attacker. With this, the attacker can achieve read/write access to the SAMR services and potentially obtain passwords and any other sensitive information
Dell Sonicwall has written the following signature that protects our cutomers from this issue. It will be available in today's (04/12/2016) release.
Share This Article
An Article By
An Article By
Security News
Security News