Posts

Badlock: Windows SAM and LSAD Downgrade Vulnerability

An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. Microsoft and SAMBA are vulnerable to these attacks. The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The attacker can access domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.

There are two different CVE identifiers associated with this vulnerability:

  • Microsoft: CVE-2016-0128
  • SAMBA: CVE-2016-2118

In addition to this, the vulnerability has been known by ‘badlock’.

Microsoft has two protocols that are vulnerable to this attack:

  • Security Account Manager Remote Protocol(SAMR): This protocol provides management functionality for user account store and for user/group directries.
  • Local Security Authority (LSAD): This protocol provides management functionality for user account store and for user/group directries.

These protocols manintain security account manager database. They are supported by both Windows and Samba and they support all domain profiles.
In addition to these, SAMBA’s following protocols are susceptible to this vulnerability:

  • Directory Replication Service Remote Protocol (DRSR): RPC protocol for replication and management of data in Active Directory
  • BackupKey Remote Protocol (BKRP): Encrypts and decrypts sensitive data (such as cryptographic keys)

Attack mechanism:

There are 6 authentication level (auth levels), as described in dcerpc protocol. ‘1’ is the lowest and ‘6’ being the highest:

Example of an attack scenario:

  • 1: Client sends a bind request to the server with highest security level ‘6’.
  • 2: MITM intercepts this request and changes the value from ‘6’ to ‘2’
  • 3: Server responds with auth level ‘2’ instead.

The attacker lowers the auth level to ‘2’. Level ‘2’, as shown earlier, provides minimum authetication. Note that it does not protect the messages tranferred between the client and the server. This is an ideal scenario for an attacker. With this, the attacker can achieve read/write access to the SAMR services and potentially obtain passwords and any other sensitive information

Dell Sonicwall has written the following signature that protects our cutomers from this issue. It will be available in today’s (04/12/2016) release.

  • 11560: BadLock Vulnerability
  • 11555: DCERPC AuthLevel Downgrade

Microsoft Security Bulletin Coverage (Apr 12, 2016)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Apr. 12, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-037 Cumulative Security Update for Internet Explorer

  • CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0159 Internet Explorer Memory Corruption Vulnerability
    IPS:11557 ” Internet Explorer Memory Corruption Vulnerability (MS16-037) 1″
  • CVE-2016-0160 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0162 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0164 Internet Explorer Memory Corruption Vulnerability
    IPS: 11558 “Internet Explorer Memory Corruption Vulnerability (MS16-037) 2”
  • CVE-2016-0166 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-038 Cumulative Security Update for Microsoft Edge

  • a href=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0154″ target=”_blank”>CVE-2016-0154 Microsoft Browser Memory Corruption Vulnerability
    IPS:11559 ” Microsoft Browser Memory Corruption Vulnerability (MS16-037) “
  • CVE-2016-0155 Microsoft Edge Memory Corruption Vulnerability
    SPY:4382 ” Malformed-File exe.MP.13″
  • CVE-2016-0156 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0157 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11550 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 2”
  • CVE-2016-0158 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11551 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 3”
  • CVE-2016-0161 Microsoft Edge Elevation of Privilege Vulnerability
    IPS: 11552 “Microsoft Edge Memory Corruption Vulnerability (MS16-038) 4”

MS16-039 Security Update for Microsoft Graphics Component

  • CVE-2016-0143 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0145 Graphics Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0165 Win32k Elevation of Privilege Vulnerability
    SPY:4357 “Malformed-File exe.MP.11”
  • CVE-2016-0167 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-040 Security Update for Microsoft XML Core Services

  • CVE-2016-0147 MSXML Remote Code Execution Vulnerability
    IPS: 11548 ” MSXML Remote Code Execution Vulnerability (MS16-039)1″

MS16-041 Security Update for .NET Framework

  • CVE-2016-0148 .NET Framework Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-042 Security Update for Microsoft Office

  • CVE-2016-0122 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0127 Microsoft Office Memory Corruption Vulnerability
    SPY:4336 “Malformed-File rtf.MP.13”
  • CVE-2016-0136 Microsoft Office Memory Corruption Vulnerability
    IPS:11258 “Malformed Excel Document 1”
  • CVE-2016-0139 Microsoft Office Memory Corruption Vulnerability
    SPY:4335 “Malformed-File xls.MP.52 “

MS16-044 Security Update for Windows OLE

  • CVE-2016-0153 Windows OLE Remote Code Execution Vulnerability
    SPY:4491 “Malformed-File doc.MP.36 “

MS16-045 Security Update for Windows Hyper-V

  • CVE-2016-0088 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0089 Windows OLE Memory Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0090 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-046 Security Update for Secondary Logon

  • CVE-2016-0135 Secondary Logon Elevation of Privilege Vulnerability
    IPS: 11554 “Windows Secondary Logon Elevation of Privilege Vulnerability”

MS16-047 Security Update for SAM and LSAD Remote Protocols

  • CVE-2016-0128 Windows RPC Downgrade Vulnerability
    IPS: 11555 “DCERPC AuthLevel Downgrade (Windows)”

MS16-048 Security Update for CSRSS

  • CVE-2016-0151 Windows CSRSS Security Feature Bypass Vulnerability
    SPY:4358 ” Malformed-File exe.MP.12″

MS16-049 Security Update for HTTP.sys

  • CVE-2016-0150 HTTP.sys Denial of Service Vulnerability
    There are no known exploits in the wild.