Check Point Threat Alert: Badlock Vulnerability

EXECUTIVE SUMMARY

• An elevation-of-privilege vulnerability exists in Microsoft Windows and the Samba interoperability suite for Linux & UNIX.
• Attackers could launch a man-in-the-middle-attack and downgrade the authentication level of DCE/RPC channels, allowing them to impersonate authenticated users.
• Check Point’s latest IPS update protects against this vulnerability with the “Microsoft Windows RPC Authentication Downgrade (MS16-047)” protection.

DESCRIPTION

• A vulnerability exists in Microsoft Windows and in the Samba interoperability suite for Linux & UNIX.
• An attacker could launch a man-in-the-middle (MiTM) attack and downgrade the authentication level of DCE/RPC channels. This would allow the attacker to impersonate authenticated users and gain access to restricted resources.
• This vulnerability occurs because the Security Account Manager (SAM) and Local Security Authority Domain Policy (LSAD) remote protocols accept authentication levels that do not provide adequate protection for information passed on the DCE/RPC channel. This affects all services using DCE/RPC.
• The vulnerability, referred to as Badlock, was assigned CVE number CVE-2016-0128.

CHECK POINT IPS PROTECTION

• Check Point IPS blade protects against this vulnerability with the following protection:
  • Microsoft Windows RPC Authentication Downgrade (MS16-047)
• The protection detects the attacker’s response to the client which causes the client to downgrade the authentication level. Setting the protection to prevent blocks the response.

REFERENCES

• Information shared by the security researchers who discovered the vulnerability:
  • http://badlock.org/
• Microsoft Security Bulletin MS16-047:
  • https://technet.microsoft.com/en-us/library/security/ms16-047.aspx