You probably heard about the new hyped security vulnerability, Bad Lock, by now. But what is it?
BadLock is a security vulnerability discovered recently on March 22nd in Samba and Windows. Samba is an open source project, under the GNU licenses. It provides a fast file and print services for all clients using the Server Message Block (SMB)/CIFS protocol, such as all versions of DOS and Windows, Linux and many others.
Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller and as a regular domain member. Simply put, Samba enables the communication between Windows and Unix operating systems.
Since the overlap between Windows and Samba is the Server Message Block (SMB)/CIFS protocol and Active Directory, it leads to the conclusion that this is the vulnerable part. We can only speculate regarding the actual threat. What could happen?
Our first guess is the classic “man in the middle attack”. As samba communicates between operating systems, data theft while the systems communicate is one possible option for hackers.
From the same reason, an attack of corruption is an option as well, a bug implemented while systems communicate and corrupts one of the systems.
Another scenario would probably be identity the ft. Samba also handles "share mode" and "user mode" authentication and authorization. Therefore a possible case would probably be a non-authorized access to one of the operating systems while communicating, and, of course, data theft as a result.
Nice Logo, but where are the details...
The Samba and Windows team working on this vulnerability have been getting some negative feedback since it was first release, since they release it with a sexy name and its own website, got a lot of coverage, but the bug details are still not out and we currently know nothing about it.
The Bad Lock website doesn’t offer any additional information, other than to say that patches will be available for Samba 4.2-4.4, while Samba 4.1 will no longer be supported. All details are expected to be released on Apr 12th.
Why are they withholding information?
The details will not be published, until a patch will be available. This is the customary procedure in the open source community in order to protect the users of the vulnerable open source component. Otherwise hackers will be able to exploit it and companies will not have the chance to protect their software.
Although no details are offered at this point, this heads up offers companies the opportunity to be prepared to patch the vulnerable libraries as soon as the vulnerability and fix is released. After all, once vulnerability and patch will be released, the race between hackers and companies will start. Open source vulnerabilities are a very lucrative source for hackers as one vulnerability equals many victims.
So, what should you do in the meantime?
First, you need to know if you are using Samba and if you are, ensure you are using a version that will be patch. Samba version 4.1 and below – will not be patched. Only Samba 4.2, 4.3 and 4.4 according to the vulnerability website.
Once you’ll identify if you are using a possible vulnerable component, make sure to check on Apr 12th and patch as quickly as you can. Keep in mind that you might not be exposed to BadLock at all.
WhiteSource is an automated open source management solution, which detect open source libraries in your software within minutes, including all dependencies. We also continuously monitor new CVEs and inform our customers, in real time, about vulnerable libraries in their software and if there are any fixes to these vulnerabilities.
You shouldn’t necessarily be concerned about Bad Lock, but about the new 2,000 security vulnerabilities discovered in open source components every year. The average WhiteSource customer receives more than 300 alerts on security vulnerabilities every year. How many vulnerable open source libraries are you currently using?