Badlock Vulnerability — Pre-Release Analysis
It seems that merely releasing a vulnerability with a cool logo and marketing budget isn’t enough these days. Like the movie studio behind a blockbuster film, the authors of the Badlock vulnerability have decided to go all out and start their marketing in advance of their disclosure.Details of what the bug actually allows an attacker to do will not be provided until 17:00 GMT on Tuesday 12th April, so we won’t know how serious it is until then. However, there are a few limited details available.
According to the author’s website, the vulnerability affects the file and printer sharing protocol (known as SMB) on both Windows and Linux/Unix. As SMB is generally designed for sharing files and communicating with printers on an internal company network, it’s the kind of service you shouldn’t need to expose to the internet.
As a result, although it is rare to find SMB exposed to the internet, a quick search on Shodan identifies it on around 51,000 (or about 0.4%) of all internet facing systems in the UK.
Exposing unnecessary services to the Internet always carries a risk that a vulnerability will be discovered and create an entry point for an attacker. That’s why we’ve been advising our customers to lock down unnecessary services like SMB since we created the Intruder continuous security monitoring service last year, and I’m pleased to say that none of them are currently exposing SMB to the Internet.
Even if you’re not using the Intruder service yet, there are a number of things you can do to get ready for tomorrow’s release:
- Check that none of your internet facing systems are exposing SMB to the internet. SMB typically runs on TCP ports 137, 139 & 445 and UDP ports 137 & 138.
- Ensure you have a robust vulnerability management process in place, which features regular assessments of newly released vulnerabilities and can prioritise critical threats as they occur.
If you’re unsure if your organisation is currently exposing SMB to the internet, we’d be happy to help you find out. Just send an email to firstname.lastname@example.org.
For those interested, the (currently limited) details of the vulnerability can be found at badlock.org.