AKLUG Archive: [aklug] Re: [NUGA] Re: getting ready for Badlock?

From: Royce Williams <royce@tycho.org>
Date: Tue Apr 12 2016 - 09:52:27 AKDT

This was informative:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday,-April-2016/

The vulnerability (MS16-047 / CVE-2016-0128) is a man in the middle (MITM)
attack on specific RPC traffic. An attacker that's properly placed can
listen in on RPC traffic and force a session to downgrade its
authentication level. This allows a basic hijack of the session and a
privilege escalation that could allow an attacker to full access to
administrative tasks and the user database (SAM) on the remote server.

In other words, if you get between two servers doing admin things, you can
ride their coat-tails.

This MS vuln appears to be it:

https://technet.microsoft.com/en-us/library/security/ms16-047

Royce

On Tue, Apr 12, 2016 at 9:47 AM, Royce Williams <royce@tycho.org> wrote:

> One reason Badlock is getting panned is that most people aren't doing SMB
> signing, etc. But fooling one Windows box into thinking it's talking to a
> different Windows box is pretty useful attackers, and something that you
> should do something about -- once your higher-interest security debt has
> been paid down. :)
>
> As I just tweeted: If you've hardened MS or Samba SMB, #badlock weakens
> them. If not, you're vulnerable to similar MITM anyway - no net new
>
> In other words, if your SMB implementation was already weak and subject to
> MITM, Badlock doesn't make it much worse.
>
> Royce
>
> On Tue, Apr 12, 2016 at 9:34 AM, kris laubenstein <
> krislaubenstein@gmail.com> wrote:
> >
> > Agreed with Royce here. Not sure this deserved a logo and a name. If
> more end up like this, they'll start being treated as wolf crying.
> >
> > But, I suppose it can't hurt to audit all potential Samba / SMB sources,
> if only to update the network map.
> >
> > Kris Laubenstein
> >
> > On Apr 12, 2016 9:28 AM, "Royce Williams" <royce@tycho.org> wrote:
> >>
> >> I wouldn't call it urgent by any means. If you're not doing SMB
> signing, you're vulnerable to similar MITM anyway. I would roll this out in
> the same cycle as your usual patches.
> >>
> >> I think that the badlock.org people are going to get raked over the
> coals for this.
> >>
> >> And I really do think that moving towards SMB signing is a very good
> idea. You can make it optional on most platforms, and then enable logging
> to see where it's not being negotiated.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Apr 12 08:10:36 2016

This archive was generated by hypermail 2.1.8 : Tue Apr 12 2016 - 08:10:36 AKDT