Tuesday, April 12, 2016

Badlock - a bad thing for our industry

TL;DR - if you're thinking of naming a vuln, think again
The day is here and while Badlock is a vulnerability, it's not the horror it was hyped up to be.


Is it RCE?
No

Is it Denial of Service (DoS) against Windows?
No

Will it make you a latte?
No

What was the CVSS score?
7.1

Whoa - 7.1?! That sounds pretty low...
Indeed, you are correct.  There are numerous bugs that have been released over the last 60 dyas with higher CVSS scores, none of which have their own website, name, or logo.  In fact, Rendition Infosec is much more concerned that clients apply the out of band Adobe Flash patch.  The flash bug is being actively exploited in the wild right now providing attackers with unauthenticated remote code execution. Badlock has no publicly available exploit and does not offer attackers RCE in any case.   FYSA, the Flash bug has a much higher CVSS score than Badlock's 7.1.

Why doesn't the new Flash vulnerability have a name like Badflash?
Probably because Adobe wishes we'd forget their software is horrifically vulnerable. Seriously, they stand to gain nothing by publicizing it, while the folks who discovered and publicized Badlock will live in infamy (for all the wrong reasons).

What the f*%k is Badlock then?
That depends on whether we are talking about Windows or Samba.  On Windows, it's an SMB replay vulnerability.  Microsoft has been warning about this for years.  We recommend to all of our clients that they implement (and enforce) SMB signing where possible.

If you are running Samba, then Badlock is a collection of vulnerabilities that are a Denial of Service (DoS).  It's not an RCE there either, though you could take a Samba server offline and cause it stop responding to requests.  In some embedded systems that use Samba this could make the device completely unresponsive.

Wait, are you telling me a non-RCE bug has it's own f%$king website?!
Um, yes.  And this is bad for our industry.  My students all know about the Jake's Mom Test (TM).  My mom is really smart in her own right, but she's a technotard.  If she's heard of a technology vulnerability, it's been really hyped.  Bugs that get fancy websites and lots of press catch her attention and I get a call.  I got a call on this one, probably because it's a slow news week.

Original attribution for hilarious meme @YanceySlide
The problem is that my mom also has a limited attention span when it comes to technology.  Try as she might, she can't be bothered by countless websites and media notifications if they are all bull sh*t.  It's the "chicken little" effect.  We as an industry can only claim the sky is falling so many times before people stop listening.

On bug naming
Bug naming isn't evil in and of itself.  Heartbleed deserved a name.  So did ShellShock.  I'm dubious of almost everything since.  VENOM was a publicity stunt.  Ghost was hardly exploitable anywhere.   The problem is that we have to choose the bugs we name very carefully.  When we fail to do so, the media gets numb to us howling about vulnerabilities that materialize to nothing.

On vulnerability disclosure
In my first post on Badlock, I accused Metzmacher of violating the generally accepted responsible disclosure guidelines. I even went so far as to accuse him of creating a new class of disclosure called 'douche disclosure.'  I tried to get this listed in Wikipedia (it was removed) and Urban Dictionary (they are surprisingly selective in approving new terms).  I'll need some help in making that term stick, but it could be a go.

Are you sorry you blogged about it?  
Not one bit.  I have a lot of clients, many of whom have have very real network security challenges.  If Badlock was all horror, three weeks is a long time to prepare and get the house in order before it burns to the ground.  Every recommendation I made would dramatically increase network security overall, Badlock or no Badlock.

Also, the early pre-disclosure prompted me to post instructions for checking TCP 139/445 egress filtering.  Many who read the blog have taken advantage of that and today understand they have a problem they didn't know about before.  That was a win for everyone and I'm happy Rendition Infosec could be a part of it.

Closing thoughts
In general, Metzmacher and Badlock illustrate that douche disclosure and indiscriminate vulnerability naming are bad for our industry.  Most of the non-infosec public are more like my mom (the technotard) than us.  We in infosec have a limited number of times we can cry wolf.  VENOM, Ghost, and now Badlock have all hurt us in this regard.  

I hate to say it, but I'm almost looking for another Heartbleed to restore some credibility with the media to our industry...

3 comments:

  1. But there is one thing i´m can say for a certain: I´m in the public high education sector, and i am seeing many worm´s in my network. IS the a hole that has not been catch yet?
    Thanks Jake for all your great posts.

    ReplyDelete
  2. Isn't the media also to blame for demanding that everything be sensationalized? They've made themselves conduits of hype and hyperbole. If they had spent their efforts on informing and empowering the public, there would be no market for Badlock hype.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete

Note: Only a member of this blog may post a comment.