CVE-2016-2118

samba: SAMR and LSA man in the middle attacks

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."

Las implementaciones de protocolo MS-SAMR y MS-LSAD en Samba 3.x y 4.x en versiones anteriores a 4.2.11, 4.3.x en versiones anteriores a 4.3.8 y 4.4.x en versiones anteriores a 4.4.2 no maneja correctamente las conexiones DCERPC, lo que permite a atacantes man-in-the-middle llevar a cabo ataques de desactualización de protocolo y hacerse pasar por usuarios modificando el flujo de datos cliente-servidor, también conocida como "BADLOCK".

A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-01-29 CVE Reserved
2016-04-12 CVE Published
2016-04-19 First Exploit
2024-08-05 CVE Updated
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-254: 7PK - Security Features
CWE-300: Channel Accessible by Non-Endpoint

CAPEC

References (50)

URL	Tag	Source
http://badlock.org	Technical Description
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
http://www.securityfocus.com/bid/86002	Third Party Advisory
http://www.securitytracker.com/id/1035533	Third Party Advisory
https://access.redhat.com/security/vulnerabilities/badlock	Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa122	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05162399	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05166182	Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes	Third Party Advisory
https://kb.netapp.com/support/s/article/ka51A0000008SXzQAM/smb-vulnerabilities-in-multiple-netapp-products	Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40196	Third Party Advisory
https://www.kb.cert.org/vuls/id/813296	Third Party Advisory
https://www.samba.org/samba/history/samba-4.2.10.html	Third Party Advisory

URL	Date	SRC
https://github.com/nickanderson/cfengine-CVE-2016-2118	2016-04-19

URL	Date	SRC

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182185.html	2022-08-29
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182272.html	2022-08-29
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182288.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00020.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00021.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00022.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00023.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00024.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0611.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0612.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0613.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0614.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0618.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0619.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0620.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0621.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0623.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0624.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2016-0625.html	2022-08-29
http://www.debian.org/security/2016/dsa-3548	2022-08-29
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.458012	2022-08-29
http://www.ubuntu.com/usn/USN-2950-1	2022-08-29
http://www.ubuntu.com/usn/USN-2950-2	2022-08-29
http://www.ubuntu.com/usn/USN-2950-3	2022-08-29
http://www.ubuntu.com/usn/USN-2950-4	2022-08-29
http://www.ubuntu.com/usn/USN-2950-5	2022-08-29
https://security.gentoo.org/glsa/201612-47	2022-08-29
https://www.samba.org/samba/latest_news.html#4.4.2	2022-08-29
https://www.samba.org/samba/security/CVE-2016-2118.html	2022-08-29
https://access.redhat.com/security/cve/CVE-2016-2118	2016-04-12
https://bugzilla.redhat.com/show_bug.cgi?id=1317990	2016-04-12
https://access.redhat.com/articles/2243351	2016-04-12
https://access.redhat.com/articles/2253041	2016-04-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 3.6.0 < 4.2.10 Search vendor "Samba" for product "Samba" and version " >= 3.6.0 < 4.2.10"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.3.0 < 4.3.7 Search vendor "Samba" for product "Samba" and version " >= 4.3.0 < 4.3.7"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.4.0 < 4.4.1 Search vendor "Samba" for product "Samba" and version " >= 4.4.0 < 4.4.1"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected