SA122 : SMB Vulnerabilities in Windows and Samba (Badlock)

Click to Subscribe
Security Advisory ID: 
SA122
Published Date: 
Apr 15, 2016
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE Number: 
CVE-2015-5370 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-0128 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-2110 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-2111 - 4.3 (MEDIUM) (AV:A/AC:M/Au:N/C:P/I:P/A:N)
CVE-2016-2112 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-2113 - 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-2016-2114 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-2115 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2016-2118 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Blue Coat products that include affected versions of Microsoft Windows and Samba are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to hijack connections to view and modify traffic, obtain unauthorized access to user passwords and other sensitive information, compromise the security of Active Directory domain controllers, and obtain session information for remote hosts.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.4.1 is vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba).  It is only vulnerable to the MITM attack in CVE-2016-2118.  ASG is not vulnerable to the sensitive information disclosure attack because it does not act as a domain controller and does not have a Security Account Manager Database.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.9 has vulnerable Samba software.  It is vulnerable to CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, and CVE-2016-2115.  MAA 4.2 prior to 4.2.9 is also vulnerable to the secure DCE/RPC connection downgrade attack in CVE-2015-5370, but is not vulnerable to the other attacks in this CVE.

ProxySG
ProxySG 6.5 prior to 6.5.9.8 and 6.6 prior to 6.6.4.1 have vulnerable Samba software.  They are vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba).  ProxySG is only vulnerable to the MITM attack in CVE-2016-2118.  It is not vulnerable to the sensitive information disclosure attack because it does not act as a domain controller and does not have a Security Account Manager Database.  ProxySG 6.7 is not vulnerable.

Security Analytics
SA 6.6, 7.0, and 7.1 have vulnerable Samba software.  They are vulnerable to CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, and CVE-2016-2115.  SA 7.2 is not vulnerable.

X-Series XOS
XOS 9.7, 10.0, and 11.0 have vulnerable Samba software.  They are vulnerable to CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, and CVE-2016-2118 (Badlock for Samba).  Only the third-party applications running on XOS are vulnerable.

The following products have vulnerable Microsoft Windows software, but are not vulnerable to known vectors of attack:

ProxyAV
ProxyAV 3.5 has vulnerable Microsoft Windows software for CVE-2016-0128 (Badlock for Windows).  However, the vulnerable functionality cannot be accessed and ProxyAV is not vulnerable to known vectors of attack.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand

Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Management Center
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
SSL Visibility
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple SMB-related vulnerabilities in Microsoft Windows and Samba.  Blue Coat products that include the vulnerable Microsoft Windows or Samba functionality are vulnerable.

  • CVE-2015-5370 addresses multiple flaws in the Samba DCE/RPC implementation.  A remote authenticated attacker could exploit these vulnerabilities to cause denial of service or execute arbitrary code in the Samba server.  A man-in-the-middle (MITM) attacker can also downgrade secure DCE/RPC connections to hijack an Active Directory (AD) object and compromise the security of the Samba AD Domain Controller (DC).
  • CVE-2016-0128 (Badlock for Windows) is a flaw in the Security Account Manager Remote Protocol (MS-SAMR) and Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations in the Windows operating system.  A MITM attacker can exploit this vulnerability to intercept an authenticated DCERPC connection and impersonate an authenticated user.  The attacker can obtain read/write access to passwords and other sensitive information stored in the Security Account Manager Database.
  • CVE-2016-2110 addresses multiple flaws in the Samba NTLMSSP authentication.  A MITM attacker can exploit these vulnerabilities to downgrade a secure connection by clearing the connection's encryption and integrity flags, and hijack the connection.  The attacker can also force clients and servers to send data as plaintext even if encryption was explicitly requested.
  • CVE-2016-2111 is a flaw in the Samba domain controller that allows a remote attacker to spoof the name of a machine that has established a secure channel with the domain controller.  The attacker can sniff the secure channel traffic and obtain session information for the spoofed machine.
  • CVE-2016-2112 is a flaw in the Samba built-in LDAP client and server libraries that allows a MITM attacker to downgrade LDAP connections to use no integrity protection.  The attacker can exploit this vulnerability to hijack the LDAP connections.
  • CVE-2016-2113 is a flaw in the Samba LDAPS and HTTPS clients that do not validate server certificates to authenticate the remote TLS servers.  A MITM attacker can exploit this vulnerability to obtain TLS session keys and decrypt/modify encrypted data inside in the TLS tunnels.
  • CVE-2016-2114 is a flaw in the Samba SMB1 server implementation that does not enforce SMB signing for SMB1 connections.  A MITM attacker can exploit this vulnerability to modify traffic between SMB1 clients and servers.
  • CVE-2016-2115 is a flaw in the Samba SMB client module that does not enforce integrity protections for IPC communication.  A MITM attacker can exploit this vulnerability to view and modify traffic between Samba clients and servers.
  • CVE-2016-2118 (Badlock for Samba) is a flaw in the Security Account Manager Remote Protocol (MS-SAMR) and Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations in Samba.  A MITM attacker can exploit this vulnerability to intercept an authenticated DCERPC connection and impersonate an authenticated user.  The attacker can obtain read/write access to passwords and other sensitive information stored in the Security Account Manager Database.

Blue Coat products that run on an installation of Microsoft Windows but do not install or maintain that installation are not vulnerable to CVE-2016-0128 (Badlock for Windows).  However, the underlying Windows installation may be vulnerable.  Blue Coat urges our customers to update the underlying Windows installation for Auth Connector, BCAAA, Client Connector, General Auth Connector Login Application, IntelligenceCenter, IntelligenceCenter Data Collector, K9, PolicyCenter, ProxyAV ConnLog/ConnLogXP, Reporter 9.x, and Unified Agent.

Blue Coat products do not enable or use all Microsoft Windows and Samba functionality.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided unless noted otherwise.

  • ASG: CVE-2016-2110
  • ProxyAV: CVE-2016-0128 (Badlock for Windows).  A fix will not be provided.
  • ProxySG: CVE-2016-2110
Workarounds: 

By default, MAA does not act as a Samba SMB, LDAP, LDAPS, or HTTPS client.  Customers who leave this behavior unchanged prevent attacks against MAA using CVE-2015-3570, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, and CVE-2016-2115.

By default, Security Analytics does not act as a domain controller, LDAP client, or LDAP server.  Customers who leave this behavior unchanged prevent attacks against Security Analytics using CVE-2016-2111 and CVE-2016-2112.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix for CVE-2016-2115 and CVE-2016-2118 is available in 6.6.4.1.  A fix for CVE-2016-2110 is available in 6.6.5.4.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.9.

ProxyAV
ProxyAV 3.5 - a fix will not be provided because ProxyAV is not vulnerable ot known vectors of attack.

ProxySG
ProxySG 6.7 - a fix for CVE-2016-2110 is available in 6.7.1.1.
ProxySG 6.6 - a fix for CVE-2016-2115 and CVE-2016-2118 is available in 6.6.4.1. A fix for CVE-2016-2110 is available in 6.6.5.4.
ProxySG 6.5 - a fix for CVE-2016-2115 and CVE-2016-2118 is available in 6.5.9.8.  A fix for CVE-2016-2110 will not be provided.  Please upgrade to a later version with the vulnerability fix.

Security Analytics
SA 7.2 - a fix is available in 7.2.1.
SA 7.1 - a fix is available through a patch RPM from Blue Coat Support.
SA 7.0 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
SA 6.6 - a fix is available through a patch RPM from Blue Coat Support.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-03-29 A fix for CVE-2016-2110 in ASG 6.6 is available in 6.6.5.4.
2017-03-29 A fix for CVE-2016-2110 in ProxySG 6.6 is available in 6.6.5.4.
2017-03-06 ProxySG 6.7 is not vulnerable because all fixes are available in 6.7.1.1.  A fix for CVE-2016-2110 will not be provided for ProxySG 6.5 and 6.6.  Please upgrade to a later version with the vulnerability fix.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 Fixes for Security Analytics 6.6 and 7.1 are available through patch RPMs from Blue Coat Support.
2016-08-12 A fix for Security Analytics is available in 7.2.1.
2016-06-23 A fix for CVE-2016-2115 and CVE-2016-2118 in ASG is available in 6.6.4.1.
2016-06-21 A fix for CVE-2016-2115 and CVE-2016-2118 in ProxySG 6.6 is available in 6.6.4.1.
2016-06-14 A fix for CVE-2016-2115 and CVE-2016-2118 in ProxySG 6.5 is available in 6.5.9.8.
2016-06-13 A fix for SA 7.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 Added remaining CVSS v2 scores from NVD.
2016-04-27 Added CVSS v2 score from NVD for CVE-2015-5370.  Updated references to point to NVD CVE articles.
2016-04-21 ASG 6.6 is vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba).  It also has vulnerable code for CVE-2016-2110, but is not vulnerable to known vectors of attack.  ProxyAV 3.5 has vulnerable Microsoft Windows software for CVE-2016-0128 (Badlock for Windows), but the vulnerable software is not used and ProxyAV is not vulnerable to known vectors of attack.  A fix for ProxyAV will not be provided.
2016-04-21 ProxySG 6.5 and 6.6 are vulnerable to CVE-2016-2115 and CVE-2016-2118 (Badlock for Samba).  They also have vulnerable code for CVE-2016-2110, but are not vulnerable to known vectors of attack.
2016-04-15 initial public release