Sorry, not available in this language yet

Early notice of Badlock bug draws criticism

Posted by Robert Vamosi on Thursday, March 24, 2016

The Badlock bug website went live three weeks ahead of full disclosure and software updates. But some practitioners question the need for the early notice.

Engineers at Microsoft and the Samba Team have put system administrators on notice—without providing much detail. Call it an awareness campaign that something serious will be disclosed mid-April. But some in the security community are questioning the need for the early notice.

On Wednesday the Badlock bug website went live three weeks early to give everyone a heads-up for the full disclosure and software updates expected to be issued on April 12, 2016. “Please get yourself ready to patch all systems on this day,” the Badlock team wrote. “We are pretty sure that there will be exploits soon after we publish all relevant information.”

According to the site, Stefan Metzmacher, a member of the international Samba Core Team who works at SerNet focusing on Samba, discovered the vulnerability dubbed the Badlock bug and reported it to Microsoft. Known affected versions include Samba 4.3, 4.3, and 4.4. Samba 4.1 and below are now out of support. Beyond that, little else about the Badlock bug was disclosed on the site.

Some security experts warn that an advance warning without details could tip off criminal hackers looking to exploit a major vulnerability. For example, a common intersection between Samba and Microsoft includes the Server Message Block (SMB) / Common Internet File System (CIFS), which is used for access to files, printers, and serial ports. Another intersection occurs with Active Directory for authentication and authorization. Linux, BSD, and other Unix-like operating systems use Samba software to integrate into Windows networks, according to the Naked Security blog. One need only to drill down on these parts of the code to find the Badlock bug on their own.

Responsible disclosure means that the researchers informs a responsible party (such as their local CERT) or the vendor directly, then give those parties enough time to issue a patch or at least privately warn affected parties and provide a suitable work around. SerNet did inform Microsoft of the vulnerability, but it is unclear what purpose the advance notice might serve.

As for the cute logo, which has drawn comparisons to Heartbleed and criticism that this is merely a marketing exercise, the Badlock team responds, “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding—it started a while ago with everyone working on fixes.”

However, Brian Martin, director of vulnerability intelligence at Risk Based Security, called it “pure, unadulterated marketing” on the part of SerNet, and Steve Regan at CSO thinks it’s entirely possible the SerNet worker who discovered the Badlock bug had a role in creating it. According to Wired.com, Metzmacher’s name appears in 463 Samba source code files, created between 2002 and 2014, and several other people at SerNet were also developers of the Samba software. “This is part of the company’s selling point for its services—it can claim that few people and companies know Samba as well as Metzmacher and its other employees do,” Wired noted.

“It is certainly eye opening when someone develops a piece of software for over a decade, then finds a critical vulnerability in it a couple years after…and will most likely capitalize on it directly,” Martin wrote in his blog post.