Check Point Threat Alert: Badlock Vulnerability
ByDanny Lieblich and Amir Landau, Threat Intelligence & Research
EXECUTIVE SUMMARY
- An elevation-of-privilege vulnerability exists in Microsoft Windows and the Samba interoperability suite for Linux & UNIX.
- Attackers could launch a man-in-the-middle-attack and downgrade the authentication level of DCE/RPC channels, allowing them to impersonate authenticated users.
- Check Point’s latest IPS update protects against this vulnerability with the “Microsoft Windows RPC Authentication Downgrade (MS16-047)” protection.
DESCRIPTION
- A vulnerability exists in Microsoft Windows and in the Samba interoperability suite for Linux & UNIX.
- An attacker could launch a man-in-the-middle (MiTM) attack and downgrade the authentication level of DCE/RPC channels. This would allow the attacker to impersonate authenticated users and gain access to restricted resources.
- This vulnerability occurs because the Security Account Manager (SAM) and Local Security Authority Domain Policy (LSAD) remote protocols accept authentication levels that do not provide adequate protection for information passed on the DCE/RPC channel. This affects all services using DCE/RPC.
- The vulnerability, referred to as Badlock, was assigned CVE number CVE-2016-0128.
CHECK POINT IPS PROTECTION
- Check Point IPS blade protects against this vulnerability with the following protection:
- The protection detects the attacker’s response to the client which causes the client to downgrade the authentication level. Setting the protection to prevent blocks the response.
REFERENCES
- Information shared by the security researchers who discovered the vulnerability:
- Microsoft Security Bulletin MS16-047:
You may also like
Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally
Recurring increase in cyber attacks: Q1 2024 saw a marked ...
Not So Private After All: How Dating Apps Can Reveal Your Exact Location
Check Point Research (CPR) recently analyzed several popular dating applications ...
Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities
Highlights Check Point Research (CPR) uncovered three recent malicious campaigns ...
Beyond Imagining – How AI is actively used in election campaigns around the world
Key Findings AI is already extensively utilized in election campaigns ...