Not having any details about the latest Badlock bug is frustrating, but IT administrators can do more than mark their calendars and wait for the security update. In fact, simply waiting is a bad idea.
Wedding save-the-dates let invited guests clear the calendar and make travel arrangements. IT administrators should treat the Badlock pre-release announcement regarding a vulnerability involving Microsoft Windows and Samba similarly, by preparing their network infrastructure and clearing their schedules. This way, they will be ready to evaluate the patch and act appropriately as soon as it becomes available.
“Please get yourself ready to patch all systems on this day,” warns the badlock. “We are pretty sure that there will be exploits soon after we publish all relevant information.”
Prepped and ready
Take a look at upcoming projects and plans. Make sure there’s time built into the schedule to go through the patch when it goes live. Set aside extra time to test and apply patches, recommends Jake Williams, principal consultant and founder at security consultancy Rendition Infosec, as well as a certified SANS instructor, on theRendition Infosec blog. Testing is very important, as Server Message Block (SMB) runs in kernel space. If something goes wrong, it will need more time to fix.
“A bad patch here will result in a blue screen. Period. Not a good place to be,” Williams wrote.
Be prepared to patch more than once, especially if Microsoft winds up releasing a rushed patch out-of-band because an exploit becomes available before April 12.
Have a complete list of systems that may need updates — the list may get shorter when details such as software and version number are available, but the list will show the worst-case scenario. Know which systems — Windows and Unix — have SMB enabled. Knowing how many systems will potentially need to be worked on will help determine how much time and people to schedule.
“This will get you a head start once the patch is released,” SANS Institute’s Johannes B. Ullrich wrote on the Internet Storm Center blog.
Tthough the website scrupulously avoids providing any details, SerNet, the Samba consulting company behind the Badlock website, has released some hints. Simply knowing Badlock affects Windows and Samba means it likely has something to do with the SMB protocol, used to read and write files over the local network, or Common Internet File System (CIFS), the SMB implementation used in Windows.
If Badlock turns out to be a protocol design flaw, then other software using SMB, such as versions of Mac OS X, FreeBSD, and Solaris, may be affected, wrote Brian Martin, director of vulnerability intelligence at security firm Risk Based Security. However, Mac OS X switched to its SMB implementation, SMBX, with OS X 10.7 (Lion). Since Apple is not named in the pre-advisory, it may be safe to assume OS X is unaffected. It’s still worth adding OS X systems with SMB enabled on the list of potentially affected systems.
Take a look at each of the systems, and don’t allow SMB or NetBIOS where it isn’t needed. This audit doesn’t have to wait for April 12. Don’t need it? Take it away.
Protecting the network
The name Badlock is a clue on where the vulnerability may be located, as it could refer to a file or resource-locking mechanism within the SMB implementation, and the code that controls it. There’s even a file in the Samba source code called lock.c.
Johannes Loxen, Sernet’s CEO, said on Twitter that Badlock will mean “admin accounts for everyone on the same LAN,” meaning an attacker would be able to gain administrative-level privileges on a local network. This makes a worm attack likely, so IT teams should look at how to make it harder to traverse the network. Williams recommends blocking SMB leaving the network, via TCP ports 135, 139, and 445 at the boundary firewall.
Ullrich recommends verifying firewall rules to block SMB both inbound and outbound.
Network segmentation makes it harder for worms to spread because it limits the area the worm can access. Physically separate network segments or set up virtual LANs. Williams also recommends private VLANs, though they may be harder to initially set up.
“Think about your network segmentation,” Williams recommends. “Layer 3 ACL’s make a ton of sense here. So do client firewalls.”
Waiting until April 12 — when the update is expected to be live, likely as part of Microsoft’s Patch Tuesday update — or even a few days beforehand to start preparations is a dangerous game since there’s a chance the vulnerability will be public before then. What’s striking about this pre-announcement is the fact that it comes 20 days in advance. Most previews come a few days — maybe a week — before the actual patch, primarily to avoid alerting people who may try to find the flaw on their own. There are already enough clues on where the vulnerability may be and what it may do, so it’s possible someone may find and leak the details sooner.
“Odds on the details of Badlock leaking (or being independently discovered) before April 12th? 15/1,” security researcher David Litchfield wrote on Twitter.
There are several unknowns at this point. Someone else may uncover Badlock. Microsoft and Samba may run into delays while testing the update or be forced to release an incomplete patch. IT teams need to be ready to swing into action right away, which means getting ready starting now.
“Order some donuts/pizza for the patch team for April 12. It could be a busy day,” Ullrich said.
It’s possible that the “crucial security bug” could turn out to be hype. There have been plenty of serious vulnerabilities over the past few months that have turned out to be flash, but not exploitable. But taking steps to prepare for Badlock is time well spent. If nothing else comes of it, at least the network is in good shape.