Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Badlock Samba Vulnerability Remediation
This article explains the Badlock Samba vulnerability as a critical vulnerability in recent versions of the Samba protocol. Versions 4.2 and newer are all affected, and patches for all relevant versions will be released on April 12th, 2016.
A critical vulnerability affecting Samba was disclosed on April 12th, 2016 (4/12/2016). This vulnerability affects any server that uses Samba 4.4, Samba 4.3, Samba 4.2 and many earlier, unsupported, unpatched versions of Samba.
The result of this vulnerability is that older versions of Samba and certain Windows SMB shares can be exploited in one of two ways:
- A man-in-the-middle attack is possible against older implementations of Samba/SMB. A malicious snooper could intercept administrative (such as an Active Directory administrator) traffic, thus gaining access to sensitive information such as passwords, account details, or other vulnerable destinations.
- A malicious third party that can communicate with a Samba/SMB server could cause a denial of service (DoS) attack.
All administrators should assess the versions of Samba used on any servers they support and prepare to upgrade as soon as they are released (where technically feasible).
Recommended patches vary by the version of Samba used, as below:
- 4.2.10 / 4.2.11
- 4.3.7 / 4.3.8
- 4.4.1 / 4.4.2
Windows administrators should apply all available patches as soon as technically possible to their servers.
See https://www.samba.org/samba/security/ for more information.
More details about this vulnerability can be found at http://badlock.org/
This vulnerability is primarily focused around one specific CVE: https://www.samba.org/samba/security/CVE-2016-2118.html
However, a number of other CVEs are related to this vulnerability:
- CVE-2015-5370 (Multiple errors in DCE-RPC code)
- CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
- CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
- CVE-2016-2112 (LDAP client and server don't enforce integrity)
- CVE-2016-2113 (Missing TLS certificate validation)
- CVE-2016-2114 ("server signing = mandatory" not enforced)
- CVE-2016-2115 (SMB IPC traffic is not integrity protected)