Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Getting Ready for Badlock - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Getting Ready for Badlock

It got a catchy name, it got a logo... so it must be serious. Or at least that is what is implied with the "Badlock" vulnerability that was pre-announced this week.

At this point, there is only a vague pre-announcement. The details, and a patch, will be released on April 12th, Microsoft's next patch Tuesday. S

The vulnerability will affect systems running SAMBA (an open source implementation of the SMB protocol, commonly found on Unix systems) as well as Windows systems . The second group is probably easier to identify, and given that we should have a patch from Microsoft on April 12th, your normal patch procedures should have you covered.

The Unix part can be a bit more tricky. To get ready for April 12th, it may be worth-while to scan your environment for systems with SMB enabled. This will get you a head start once the patch is released. Due to the high-profile pre-announcement, I expect major Unix versions to release a patch on April 12th as well.

OS X started using its own implementation of the SMB protocol, sometimes referred to asm SMBX, With OS X 10.7 (Lion). You are probably not going to find a lot of pre-10.7 systems still around, and if you do, you probably wont get a patch from Apple. SMBX is not listed in the Badlock pre-announcement. We can assume at this point that it is not vulnerable.

A possible twist to this would be vulnerable clients. It is possible to trick a client to connect to an SMB share using the "smb:" protocol. Outbound traffic from clients is often less strictly controlled then inbound.

Short summary: What should you do before April 12th

  • inventory SMB servers
  • verify firewall rules to block SMB inbound AND outbound
  • order some donuts/pizza for the patch team for April 12th. It could be a busy day. 

Side note: Stefan Metzmacher, who is credited with discovering the vulnerability, is the author of the file "lock.c" in Samba. This file appears to deal with SMB2 lock requests. It is pretty short, but includes an "interesting" comment: "/* this is quite bizarre - the spec says we must lie about the length! */".

Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Mar 23rd 2016
Are there any ports other than 445 that need to be scrutinized in relation to BADLOCK? I realize you may not have the details yet, either.

4 Posts
Why is nothing published on TechNet / Microsoft
1 Posts
Quoting v-ger:Are there any ports other than 445 that need to be scrutinized in relation to BADLOCK?

Port 139, if you have good ol’ NetBIOS over TCP/IP enabled. If that’s the case, you should use this opportunity to get rid of it, regardless of BADLOCK.

6 Posts
Im using nmap script "--script smb-os-discovery " to scan for all SMB in my env.

37 Posts
I went ahead and included 137-139 as well as 445 in a scan using Angry IP Scanner.

4 Posts

Sign Up for Free or Log In to start participating in the conversation!