[aklug] Re: [NUGA] Re: getting ready for Badlock?

Agreed with Royce here. Not sure this deserved a logo and a name. If more
end up like this, they'll start being treated as wolf crying.

But, I suppose it can't hurt to audit all potential Samba / SMB sources, if
only to update the network map.

Kris Laubenstein
On Apr 12, 2016 9:28 AM, "Royce Williams" <royce@tycho.org> wrote:

> I wouldn't call it urgent by any means. If you're not doing SMB signing,
> you're vulnerable to similar MITM anyway. I would roll this out in the same
> cycle as your usual patches.
>
> I think that the badlock.org people are going to get raked over the coals
> for this.
>
> And I really do think that moving towards SMB signing is a very good idea.
> You can make it optional on most platforms, and then enable logging to see
> where it's not being negotiated.
>
> Royce
>
> On Tue, Apr 12, 2016 at 9:06 AM, Royce Williams <royce@tycho.org> wrote:
>
>> Site's updated. MITM and DoS.
>>
>> http://badlock.org/
>>
>> None of the Samba CVE links exist yet.
>>
>> Best thing you can do to mitigate this entire class of problems on the
>> MITM side is to start working on enabling SMB signing.
>>
>> Royce
>>
>> On Mon, Apr 11, 2016 at 3:39 PM, Royce Williams <royce@tycho.org> wrote:
>>
>>> When the scan is finished I'll be able to provide a bit more info.
>>>
>>> In the meantime, here are the top-talker domains. Note that this is
>>> driven by PTR records, which can be stale. Note also that there are plenty
>>> of IPs that either have no PTR, or have a generic one, so just because your
>>> domain name doesn't appear here, don't assume that you're not exposed.
>>>
>>> I haven't definitively verified this, but I'm guessing that ACS is
>>> probably blocking 139 and/or 445 by default at the customer edge, and GCI
>>> probably isn't.
>>>
>>> 888:gci.net
>>> 21:acsalaska.net
>>> 20:kpunet.net
>>> 20:kgbsd.org
>>> 6:arctic.net
>>> 4:acetekk.com
>>> 3:rogershsa.com
>>> 2:ctcak.net
>>> 2:arcus.org
>>> 2:firstcitylibraries.org
>>> 2:cvinternet.net
>>> 1:ak.us
>>> 1:wwcpa.com
>>> 1:serrc.org
>>> 1:galenanet.com
>>> 1:eatribes.net
>>> 1:caa-ak.org
>>> 1:investfairbanks.com
>>> 1:frozenreality.com
>>> 1:megawattelectric.com
>>> 1:psd-k12.org
>>> 1:north-slope.org
>>> 1:alaska.net
>>> 1:muni.org
>>> 1:tekmate.net
>>> 1:nana.com
>>> 1:alaskadesign.com
>>>
>>> Royce
>>>
>>>
>>> On Mon, Apr 11, 2016 at 1:35 PM, Damien Hull <dhull@section9.us> wrote:
>>>
>>>> Royce,
>>>>
>>>> Nice! It would be interesting to see what kind of devices these are.
>>>> Devices like network printers could have file sharing turned on by default.
>>>>
>>>> On Mon, Apr 11, 2016 at 12:35 PM, Royce Williams <royce@tycho.org>
>>>> wrote:
>>>>
>>>>> Update: general announcement is coming out 17:00 hours UTC - so 8am
>>>>> Alaska.
>>>>>
>>>>> http://badlock.org/
>>>>>
>>>>> This coincides with the usual timing of Patch Tuesday, apparently.
>>>>>
>>>>> Royce
>>>>>
>>>>> On Mon, Apr 11, 2016 at 11:32 AM, Royce Williams <royce@tycho.org>
>>>>> wrote:
>>>>>
>>>>>> Badlock is landing tomorrow. From a survey of Alaskan IP space, I
>>>>>> can confirm that there's a non-trivial amount of SMB facing the public
>>>>>> Internet. If you have not already scanned your own IP space, now's a good
>>>>>> time to do so.
>>>>>>
>>>>>> My scan is still running, but a summary of the results so far can be
>>>>>> found here (access limited to Alaskan IP space). These are Alaskan IPs
>>>>>> that are publicly responding to SMB queries.
>>>>>>
>>>>>> http://www.techsolvency.com/scans/smb/smb-os-discovery.txt
>>>>>>
>>>>>>
>>>>>> You should also definitely be blocking any outbound SMB at your
>>>>>> border. This blog post has a good way to check from a Linux machine:
>>>>>>
>>>>>>
>>>>>> http://malwarejake.blogspot.com/2016/04/getting-ready-for-badlock.html?m=1
>>>>>>
>>>>>> Quoting:
>>>>>>
>>>>>> $ nc smbcheck.rsec.us 139
>>>>>> $ nc smbcheck.rsec.us 445
>>>>>>
>>>>>> If you get no output, you're good to go. If you see what I have
>>>>>> displayed below, you've got problems:
>>>>>>
>>>>>> jake$ nc smbcheck.rsec.us 139
>>>>>> DANGER! Your network allows TCP port 139 outbound. You should block
>>>>>> this!
>>>>>>
>>>>>> jake$ nc smbcheck.rsec.us 445
>>>>>> DANGER! Your network allows TCP port 445 outbound. You should block
>>>>>> this!
>>>>>>
>>>>>> [end quote]
>>>>>>
>>>>>>
>>>>>> This thing may be wormable -- either directly, or with multiple hops
>>>>>> (get any user to click on something, or hijack an ad network to get in,
>>>>>> then exploit Badlock). So you may want to think hard about things like
>>>>>> being ready for quarantine, emergency patching, restoring from 100%
>>>>>> airgapped backups. Disconnecting a few machines to pre-quarantine them as
>>>>>> "known good" might not be a bad idea. Experimenting with what you can do
>>>>>> with SMB completely turned off may also be in order.
>>>>>>
>>>>>> This nmap scan may also be helpful. Use latest nmap (7.12) to get the
>>>>>> latest SMB detection that they added expressly for Badlock.
>>>>>>
>>>>>> sudo nmap -T5 -p139,445 -PE -PS139,445 -PA139,445 -PU139,445 -PP
>>>>>> --script=smb-os-discovery -iL cidr.list -oA smb-os-discovery
>>>>>>
>>>>>>
>>>>>> Royce
>>>>>>
>>>>>>
>>>>>> On Sat, Mar 26, 2016 at 10:44 PM, Royce Williams <royce@tycho.org>
>>>>>> wrote:
>>>>>> >
>>>>>> > On Fri, Mar 25, 2016 at 2:13 PM, Royce Williams <royce@tycho.org>
>>>>>> wrote:
>>>>>> >>
>>>>>> >> What are folks doing to get ready for Badlock?
>>>>>> >>
>>>>>> >> http://badlock.org/
>>>>>> >>
>>>>>> >> Since no details have been released, my inclination is to start
>>>>>> recommending that folks do a full inventory of all internal SMB-speaking
>>>>>> systems (Windows and otherwise), including base OS version, SMB/Samba
>>>>>> versions enabled, vendor, etc. ... and scan the environment with either
>>>>>> whatever vuln scanning suite you have, or at least some of the *smb* Nmap
>>>>>> NSE scripts. Disabling as much backward compatibility as you can get away
>>>>>> with is probably a good idea anyway, and doing so in advance is probably a
>>>>>> good idea, since we have more that 2 weeks' warning.
>>>>>> >>
>>>>>> >> From:
>>>>>> >>
>>>>>> https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/
>>>>>> >>
>>>>>> >> CIFS – The ancient version of SMB that was part of Microsoft
>>>>>> Windows NT 4.0 in 1996. SMB1 supersedes this version.
>>>>>> >> SMB 1.0 (or SMB1) – The version used in Windows 2000, Windows XP,
>>>>>> Windows Server 2003 and Windows Server 2003 R2
>>>>>> >> SMB 2.0 (or SMB2) – The version used in Windows Vista (SP1 or
>>>>>> later) and Windows Server 2008
>>>>>> >> SMB 2.1 (or SMB2.1) – The version used in Windows 7 and Windows
>>>>>> Server 2008 R2
>>>>>> >> SMB 3.0 (or SMB3) – The version used in Windows 8 and Windows
>>>>>> Server 2012
>>>>>> >>
>>>>>> >>
>>>>>> >> ISPs that aren't already blocking inbound SMB probably should be.
>>>>>> If they're not, may want to consider blocking it on the client side.
>>>>>> >
>>>>>> >
>>>>>> > To clarify, I intended for this to mean the customer demarc
>>>>>> endpoint, downstream from the ISP that is not blocking SMB.
>>>>>> >
>>>>>> >>
>>>>>> >> The speculation is that it might be wormable, but Microsoft has
>>>>>> been mum on the issue so far.
>>>>>> >>
>>>>>> >> And regardless, probably a good idea to reserve a change window
>>>>>> for April 12th. The inventory of all SMB-speaking devices will help gauge
>>>>>> worst-case scope. I know that "we don't know what it is yet, but here's the
>>>>>> list of boxes that may be in scope" is better to have in hand in advance,
>>>>>> rather than scrambling to track down all of the infected boxes after a worm
>>>>>> hits. YRMV (Your Risk May Vary), of course. ;)
>>>>>> >
>>>>>> >
>>>>>> > Two updates:
>>>>>> >
>>>>>> > 1. A now-deleted tweet from a member of the discovery team says
>>>>>> "#badlock means admin accounts for everyone on the same LAN":
>>>>>> >
>>>>>> >
>>>>>> http://www.csoonline.com/article/3047221/techology-business/company-behind-the-badlock-disclosure-says-pre-patch-hype-is-good-for-business.html#tk.twt_cso
>>>>>> >
>>>>>> >
>>>>>> > 2. Info on newer SMB versions that I neglected to include.
>>>>>> >
>>>>>> > First, newer MS links about SMB info for Windows 8.1 / Windows
>>>>>> Server 2012 R2 (thanks, Mack!):
>>>>>> >
>>>>>> >
>>>>>> https://blogs.technet.microsoft.com/josebda/2013/10/02/windows-server-2012-r2-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using/
>>>>>> >
>>>>>> > SMB 3.02 (or SMB3) – The version used in Windows 8.1 and Windows
>>>>>> Server 2012 R2
>>>>>> >
>>>>>> > ... and per
>>>>>> https://blogs.technet.microsoft.com/josebda/2015/05/05/whats-new-in-smb-3-1-1-in-the-windows-server-2016-technical-preview-2/
>>>>>> >
>>>>>> > SMB 3.1.1 - Windows 10 / Windows Server 2016
>>>>>> >
>>>>>> > And per Wikipedia: [SMB 3.1.1] supports AES-128-GCM encryption in
>>>>>> addition to AES-128-CCM encryption added in SMB3, and implements
>>>>>> pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes
>>>>>> secure negotiation mandatory when connecting to clients using SMB 2.x and
>>>>>> higher.
>>>>>> >
>>>>>> > Royce
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Apr 12 07:51:46 2016