SA122 : SMB Vulnerabilities in Windows and Samba (Badlock)

SUMMARY

Blue Coat products that include affected versions of Microsoft Windows and Samba are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to hijack connections to view and modify traffic, obtain unauthorized access to user passwords and other sensitive information, compromise the security of Active Directory domain controllers, and obtain session information for remote hosts.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-2115, CVE-2016-2118 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.4.1.
CVE-2016-2110 | 6.7 | Not vulnerable, fixed in 6.7.2.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.4.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2015-5370, CVE-2016-2110,
CVE-2016-2112, CVE-2016-2113,
CVE-2016-2115 | 4.2 | Upgrade to 4.2.9.

ProxySG

CVE |Affected Version(s)|Remediation
CVE-2016-2115, CVE-2016-2118 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 | Upgrade to 6.6.4.1.
6.5 | Upgrade to 6.5.9.8.
CVE-2016-2110 | 6.7 (not vulnerable to known vectors of attack) | Not vulnerable, fixed in 6.7.1.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.4.
6.5 (not vulnerable to known vectors of attack) | Upgrade to 6.5.10.2.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2016-2110, CVE-2016-2111,
CVE-2016-2112, CVE-2016-2115 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Apply patch RPM from customer support.
7.0 | Upgrade to later release with fixes.
6.6 | Apply patch RPM from customer support.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-2110, CVE-2016-2111,
CVE-2016-2112, CVE-2016-2115,
CVE-2016-2118 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Not available at this time

The following products have vulnerable Microsoft Windows software, but are not vulnerable to known vectors of attack:

ProxyAV

CVE |Affected Version(s)|Remediation
CVE-2016-0128 | 3.5 (not vulnerable to known vectors of attack) | A fix will not be provided because the affected functionality cannot be accessed and ProxyAV is not vulnerable to known vectors of attack.

ADDITIONAL PRODUCT INFORMATION

ASG and ProxySG are only vulnerable to the MITM attack in CVE-2016-2118. They are not vulnerable to the sensitive information disclosure attack because they do not act as a domain controller and do not have a Security Account Manager Database.

MAA is only vulnerable to the secure DCE/RPC connection downgrade attack in CVE-2015-5370, but is not vulnerable to the other attacks in this CVE.

Only third-party applications running on XOS are vulnerable.

Blue Coat products that run on an installation of Microsoft Windows but do not install or maintain that installation are not vulnerable to CVE-2016-0128 (Badlock for Windows). However, the underlying Windows installation may be vulnerable. Blue Coat urges our customers to update the underlying Windows installation for Auth Connector, BCAAA, Client Connector, General Auth Connector Login Application, IntelligenceCenter, IntelligenceCenter Data Collector, K9, PolicyCenter, ProxyAV ConnLog/ConnLogXP, Reporter 9.x, and Unified Agent.

Blue Coat products do not enable or use all Microsoft Windows and Samba functionality. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided unless noted otherwise.

• ASG: CVE-2016-2110
• ProxyAV: CVE-2016-0128 (Badlock for Windows). A fix will not be provided.
• ProxySG: CVE-2016-2110

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
SSL Visibility
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-5370

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: NVD: CVE-2015-5370 Impact| Denial of service, code execution, information disclosure Description | Multiple flaws in the Samba DCE/RPC implementation allow a remote authenticated attacker to cause denial of service or execute arbitrary code in the Samba server. A man-in-the-middle (MITM) attacker can also downgrade secure DCE/RPC connections to hijack an Active Directory (AD) object and compromise the security of the Samba AD Domain Controller (DC).

CVE-2016-0128 (Badlock for Windows)

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: NVD: CVE-2016-0128 Impact| Information disclosure, unauthorized modification of data Description | A flaw in the Windows Security Account Manager Remote Protocol (MS-SAMR) and Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations allows a MITM attacker to intercept an authenticated DCERPC connection and impersonate an authenticated user. The attacker can obtain read/write access to passwords and other sensitive information stored in the Security Account Manager Database.

CVE-2016-2110

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: NVD: CVE-2016-2110 Impact| Information disclosure, unauthorized modification of data Description | Multiple flaws in the Samba NTLMSSP authentication allows a MITM attacker to downgrade a secure connection by clearing the connection’s encryption and integrity flags and hijack the connection. The attacker can also force clients and servers to send data as plaintext even if encryption was explicitly requested.

CVE-2016-2111

Severity / CVSSv2 | Medium / 4.3 (AV:A/AC:M/Au:N/C:P/I:P/A:N) References| SecurityFocus: NVD: CVE-2016-2111 Impact| Information disclosure Description | A flaw in the Samba domain controller allows a remote attacker to spoof the name of a machine that has established a secure channel with the domain controller. The attacker can sniff the secure channel traffic and obtain session information for the spoofed machine.

CVE-2016-2112

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID / NVD: CVE-2016-2112 Impact| Information disclosure, unauthorized modification of data Description | A flaw in the Samba built-in LDAP client and server libraries allows a MITM attacker to downgrade LDAP connections to use no integrity protection. The attacker can exploit this vulnerability to hijack the LDAP connections.

CVE-2016-2113

Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID / NVD: CVE-2016-2113 Impact| Information disclosure, unauthorized modification of data Description | A certificate validation flaw in the Samba LDAPS and HTTPS clients allows a MITM attacker to obtain TLS session keys and decrypt/modify encrypted data inside in the TLS tunnels.

CVE-2016-2114

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 86011 / NVD: CVE-2016-2114 Impact| Unauthorized modification of data Description | A flaw in the Samba SMB1 server implementation, which does not enforce SMB signing for SMB1 connections, allows a MITM attacker to modify traffic between SMB1 clients and servers.

CVE-2016-2115

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: NVD: CVE-2016-2115 Impact| Information disclosure, unauthorized modification of data Description | A flaw in the Samba SMB client module, which that does not enforce integrity protections for IPC communication, allows a MITM attacker to view and modify traffic between Samba clients and servers.

CVE-2016-2118 (Badlock for Samba)

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 86002 / NVD: CVE-2016-2118 Impact| Information disclosure, unauthorized modification of data Description | A flaw in the Samba Security Account Manager Remote Protocol (MS-SAMR) and Local Security Authority Domain Policy Remote Protocol (MS-LSAD) implementations allows a MITM attacker to intercept an authenticated DCERPC connection and impersonate an authenticated user. The attacker can obtain read/write access to passwords and other sensitive information stored in the Security Account Manager Database.

MITIGATION

By default, MAA does not act as a Samba SMB, LDAP, LDAPS, or HTTPS client. Customers who leave this behavior unchanged prevent attacks against MAA using CVE-2015-3570, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, and CVE-2016-2115.

By default, Security Analytics does not act as a domain controller, LDAP client, or LDAP server. Customers who leave this behavior unchanged prevent attacks against Security Analytics using CVE-2016-2111 and CVE-2016-2112.

REFERENCES

Badlock announcement - http://badlock.org
Samba security announcement - <https://www.samba.org/samba/history/security.html&gt;
CERT VU#813296 - <https://www.kb.cert.org/vuls/id/813296&gt;
Microsoft security bulletin MS16-047 - <https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-047&gt;

REVISION

2020-04-26 Advisory status changed to Closed.
2019-10-03 Web Isolation is not vulnerable.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-12 A fix for CVE-2016-2110 in ProxySG 6.5 is available in 6.5.10.2.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-03-29 A fix for CVE-2016-2110 in ASG 6.6 is available in 6.6.5.4.
2017-03-29 A fix for CVE-2016-2110 in ProxySG 6.6 is available in 6.6.5.4.
2017-03-06 ProxySG 6.7 is not vulnerable because all fixes are available in 6.7.1.1. A fix for CVE-2016-2110 will not be provided for ProxySG 6.5 and 6.6. Please upgrade to a later version with the vulnerability fix. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 Fixes for Security Analytics 6.6 and 7.1 are available through patch RPMs from Blue Coat Support.
2016-08-12 A fix for Security Analytics is available in 7.2.1.
2016-06-23 A fix for CVE-2016-2115 and CVE-2016-2118 in ASG is available in 6.6.4.1.
2016-06-21 A fix for CVE-2016-2115 and CVE-2016-2118 in ProxySG 6.6 is available in 6.6.4.1.
2016-06-14 A fix for CVE-2016-2115 and CVE-2016-2118 in ProxySG 6.5 is available in 6.5.9.8.
2016-06-13 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 Added remaining CVSS v2 scores from NVD.
2016-04-27 Added CVSS v2 score from NVD for CVE-2015-5370. Updated references to point to NVD CVE articles.
2016-04-21 ASG 6.6 is vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba). It also has vulnerable code for CVE-2016-2110, but is not vulnerable to known vectors of attack. ProxyAV 3.5 has vulnerable Microsoft Windows software for CVE-2016-0128 (Badlock for Windows), but the vulnerable software is not used and ProxyAV is not vulnerable to known vectors of attack. A fix for ProxyAV will not be provided.
2016-04-21 ProxySG 6.5 and 6.6 are vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba). They also have vulnerable code for CVE-2016-2110, but are not vulnerable to known vectors of attack.
2016-04-15 initial public release