Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: BadLock Vulnerability (CVE-2016-2118) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BadLock Vulnerability (CVE-2016-2118)

Today, Microsoft and the SAMBA team jointly released a fix for CVE-2016-2118 , a vulnerability also known as BadLock".  While a man in the middle and DoS vulnerability may not quite be the type of vulnerability everybody was waiting for, it should still be taken seriously and patched.

You are of course the most at risk if you are allowing SMB traffic over un-trusted networks, which has always been a bad idea. Exploitation of a man-in-the-middle vulnerability does require that the attacker is able to intercept traffic. The use of a VPN would prevent exploitation.

What to tell your Boss/Spouse/Parent

Due to the hype associated with this vulnerability, you will likely get a lot of questions about it. Overall, nothing fundamentally changed:

  • Patch as you get to it, but no reason to rush this one
  • Do not use SMB over networks you don't trust
  • Firewall SMB inbound and outbound
  • If you need to connect to remote file shares, do so over a VPN.

Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Apr 12th 2016
I just listened to the webinar and Johann made reference to KB3148597 containing the patch. When I checked my reference machine after installing the WSUS morning delivery I did not find that KB but I did find KB3149090, which is the correct update that patches the vulnerability. I don't know what the difference in KB article numbers is about but thought I would share here for anyone that may get confused. If the machine has update KB3149090 it is patched and protected against BADLOCK as of today.

Sign Up for Free or Log In to start participating in the conversation!