Windows SAM and LSAD Downgrade Vulnerability (Badlock) Advisory [CVE-2016-0128]

Vulnerability Overview:

The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka ÔÇ£Windows SAM and LSAD Downgrade VulnerabilityÔÇØ or ÔÇ£BADLOCKÔÇØ.

Details:

This vulnerability is related to downgrade of the authentication levels supported by Security Account Manager (SAM) and Local Security Authority (Domain Policy - LSAD) remote protocols. Exploitation of this vulnerability requires an attacker to carry out a man-in-the-middle (MitM) attack to force downgrade and impersonate as an authenticated user. Successful exploit could result in unauthorized access to the SAM database which maintains user account information and security descriptors for users on local computer. Microsoft Windows and SAMBA servers are vulnerable to these attacks.

Identified by following CVE IDÔÇÖs
1.CVE-2016-0128 ÔÇô Microsoft
2.CVE-2016-2118 ÔÇô SAMBA

Windows servers use Security Accounts Manager (SAM) service and Local Security Authority service so that applications cannot gain access to resources without authentication and authorization. These services maintain user accounts and security policies on the systems or domain.

The two protocols MS - SAMR (Security Account Manager Remote Protocol) and LSAD (Local Security Authority) maintain security account manager database. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol and are available on Windows and Samba installations. These protocols are vulnerable to this attack.

The vulnerability is triggered when these protocols accept authentication levels that do not protect them adequately. It is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and force the downgrade of the accepted authentication level to get the same privileges as client. The attacker here can get hold of the domain passwords as well. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.

Exploitability ÔÇô
Exploits for this vulnerability are not out in the wild yet. A key factor in the exploitation of this vulnerability is the need for the attacker to carry out a man-in-the-middle (MitM) attack first. This means the attacker has to be reasonably knowledgeable about the target network.

Recommended Solution:

1.Complete scan of the infrastructure to identify vulnerable systems.
2.Applying patches released by Microsoft and Samba on the vulnerable systems.

Following are links for downloading patches to fix the vulnerabilities:

Microsoft Security Bulletin MS16-047
https://technet.microsoft.com/library/security/ms16-047

Samba Badlock Vulnerability: Samba 4.4.0
https://download.samba.org/pub/samba/patches/security/samba-4.4.0-securi...

Samba Badlock Vulnerability: Samba 4.3.6
https://download.samba.org/pub/samba/patches/security/samba-4.3.6-securi...

Samba Badlock Vulnerability: Samba 4.2.9
https://download.samba.org/pub/samba/patches/security/samba-4.2.9-securi...

Workaround -
Risk can be lowered by disabling login/authentication using privileged accounts over unprotected networks.
Privilege account logins should be allowed only through physical consoles to avoid authentication through network communications.

System Affected/Related OS and Version:

This issue affects
ft:windows_server_2012:r2
ft:windows_server_2008::sp2
ft:windows_rt_8.1:-
ft:windows_vista::sp2
ft:windows_7::sp1
ft:windows_10:-
ft:windows_8.1
ft:windows_server_2012:-
ft:windows_server_2008:r2:sp1
ft:windows_10:1511::~~~~x64~

Appendix:
External Source:MS
http://technet.microsoft.com/security/bulletin/MS16-047
External Source:MISC
https://www.samba.org/samba/security/CVE-2016-2118.html

Threat Category: