Badlock vulnerability viewed as more hype than threat

Samba bug could lead to Man-in-the-Middle and Denial of Service attacks

After a three-week delay, Badlock was released to the public on Tuesday, generating disappointment in the research community and relief in some cases, as administrators realized the issue isn't as critical as they previously thought.

When it was announced, the company behind Badlock's discovery – SerNet – warned administrators to be ready to patch, as they were sure "that there will be exploits soon after we publish all relevant information."

But from the beginning, it looked like Badlock was more sales than disclosure.

Johannes Loxen, (who registered the Badlock.org domain), called the situation a win-win, because the company gets marketing and the public gets notice about a "serious bug." Problem is, the bug isn't that serious.


According to Microsoft, which rated Badlock as "Important" in their Patch Tuesday release, only applications or products using SAM or LSAD remote protocols are affected by the bug. SMB itself is not vulnerable.

"...it’s too bad that Microsoft disbanded the Microsoft Security Response Center (MSRC), because in this instance it would have allowed for better communications from Microsoft and in turn, a better understanding of how people are affected," commented Andrew Storms, VP of security services at New Context.

“For many people the Badlock hype was just that, a lot of hype. Security teams should patch immediately, but also put it in perspective with all of the patches that Microsoft released today. For example, patching a remote code execution bug in Internet Explorer may be more important to your organization than the over-hyped Badlock," he added.

One of the reasons Badlock isn't a vulnerability worthy of the hype it was given is centered on its attack vector – Man-in-the-Middle. Before anything can happen, an attacker first needs to have already established some type of access on the network, which enables them to see traffic.

"Many attackers will use every tool in their toolbox to get into a network so there’s a good chance that Badlock will be used as a downstream vector," explained Michael Gray, VP of Technology at Thrive Networks.

"For instance, an attacker can own a workstation via public Wi-Fi and then wait until that device is in a corporate environment. Once it detects a file server, it could inject payload into the server via Badlock or simply use it to download corporate data."

This attack path is a valid one, but the key element here is that if an attacker already has access to a corporate device, they likely have everything needed to access corporate data, so Badlock isn't even a consideration at this point. It's like getting root after you've already established root. Not to mention, targeting SAM or LSAD could be too noisy, which lowers the odds of success during the attack.

Again, Badlock isn't a remote exploit, it's a local exploit, so the attacker already has to be inside the network before it can do damage. If things get to that point, the game's already over.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.