Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

Similar documents
Improving DCERPC Security Hardening

Improving DCERPC Security

Samba. OpenLDAP Developer s Day. Volker Lendecke, Günther Deschner Samba Team

A new DCERPC infrastructure for Samba

A new DCERPC infrastructure for Samba

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

SDC EMEA 2019 Tel Aviv

The Important Details Of Windows Authentication

Cross-realm trusts with FreeIPA v3

SMB2 and SMB3 in Samba: Durable File Handles and Beyond. sambaxp 2012

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

Samba 4 Status Report

Security Services for Samba4. Andrew Bartlett Samba Team

The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

CPSC 467: Cryptography and Computer Security

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

The return of the vampires

FreeIPA Cross Forest Trusts

Development Using Samba 4

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

CPSC 467b: Cryptography and Computer Security

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

MIT KDC integration. Andreas Schneider Günther Deschner May 21th, Red Hat

October 4, 2000 Expires in six months. SMTP Service Extension for Secure SMTP over TLS. Status of this Memo

SMB3 Multi-Channel in Samba

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

DCERPC and Endpoint Mapper

Root KSK Roll Update Webinar

Samba4: War Stories. Andrew Bartlett Samba Team / Red Hat

Once all of the features of Intel Active Management Technology (Intel

RID IETF Draft Update

Release Notes for Snare Enterprise Agent for MSSQL Release Notes for Snare Enterprise Agent for MSSQL v1.2/1.3

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Gerald Carter Samba Team/HP

Configuring OpenVPN on pfsense

The poor state of SIP endpoint security

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

Network Insecurity with Switches

Configuring Request Authentication and Authorization

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

XenaL47Server: 3.2 VulcanManager: Common Tools XenaChassisUpgrader:

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

secure communications

Man-In-The-Browser Attacks. Daniel Tomescu

Implementing Persistent Handles in Samba. Ralph Böhme, Samba Team, SerNet

Locking down a Hitachi ID Suite server

Steel Belted Radius. Release Notes SBR 6.24 Build 1. Release, Build Published Document Version Build 1 May,

Part 1: Anatomy of an Insider Threat Attack

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

IDP Detector Engine Release Notes

Information Security CS 526

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

HikCentral V1.3 for Windows Hardening Guide

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

DNS Cache Poisoning Looking at CERT VU#800113

Chapter 2. Switch Concepts and Configuration. Part II

CONFERENCE PROCEEDINGS QUALITY CONFERENCE. Conference Paper Excerpt from the 28TH ANNUAL SOFTWARE. October 18th 19th, 2010

Crypto meets Web Security: Certificates and SSL/TLS

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Windows 2000 Conversion Wrapup. Al Williams Penn State Teaching and Learning with Technology SHARE 98, Nashville, TN Session 5822

Root KSK Roll Delay Update

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Simo Sorce Samba Team.

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

Barracuda Firewall Release Notes 6.6.X

WAP Security. Helsinki University of Technology S Security of Communication Protocols

WHITE PAPER. Secure communication. - Security functions of i-pro system s

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CVE / "POODLE"

Internet Engineering Task Force (IETF) Request for Comments: 8437 Updates: 3501 August 2018 Category: Standards Track ISSN:

Defending Yourself Against The Wily Wireless Hacker

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

Remote Desktop Security for the SMB

CSCI 680: Computer & Network Security

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

Pulseway Security White Paper

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

HPE Common Internet File System (CIFS) Server Release Notes Version B for HP-UX 11i v3

Securing Internet Communication: TLS

Network Security (and related topics)

SE420 Software Quality Assurance

The State of Samba (June 2011) Jeremy Allison Samba Team/Google Open Source Programs Office

More Attacks on Cryptography 3/12/2010

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

Going Without CPU Patches on Oracle E-Business Suite 11i?

Security Improvements on Cast Iron

CIP Security Phase 1 Secure Transport for EtherNet/IP

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

General Pr0ken File System

CSC 574 Computer and Network Security. TCP/IP Security

Root KSK Rollover Update (or, We're really doing it this time)

Transcription:

Badlock One Year In Security Hell Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2016-05-11 https://samba.org/~metze/presentations/2016/metze sambaxp2016 badlock-handout.pdf

Stefan Metzmacher Badlock (2/25) Agenda History of reports/findings The badlock related bugs in detail New options Behavior changes Coordination with Microsoft The final sprint Coordination with Vendors Regressions Future improvements Thanks! Questions?

Stefan Metzmacher Badlock (3/25) History (Part 1) CVE-2015-3223: LDAP 00 search expression attack Reported on June 9, 2015 Fix released on December 16, 2015 CVE-2015-7540: Bogus LDAP request cause memory DoS Reported on September 20, 2012, but (re-)noticed by CVE-2015-3223 Fix released on December 16, 2015 CVE-2015-5370: Multiple errors in DCE-RPC code Reported on June 18, 2015 Fix released on April 12, 2016 CVE-2015-5252: Insufficient symlink verification Reported on July 9, 2015 Fix released on December 16, 2015 CVE-2016-2118: SAMR and LSA man in the middle attacks Found in July 2015 (Badlock) Fix released on April 12, 2016

History (Part 2) CVE-2015-5299: Currently the snapshot browsing is not secure Reported on September 24, 2015 Fix released on December 16, 2015 CVE-2015-5296: No man in the middle protection with smb encryption Found on September 30, 2015 Fix released on December 16, 2015 CVE-2015-8467: Microsoft MS15-096 / CVE-2015-2535 needs matching fix in Samba Reported on October 13, 2015 Fix released on December 16, 2015 CVE-2015-5330: Remote read memory exploit in LDB Reported on November 12, 2015 Fix released on December 16, 2015 CVE-2016-2110: Man in the middle attacks possible with NTLMSSP Found in November 2015 Fix released on April 12, 2016 Stefan Metzmacher Badlock (4/25)

Stefan Metzmacher Badlock (5/25) History (Part 3) CVE-2016-2111: NETLOGON Spoofing Vulnerability Noticed in November 2015 Fix released on April 12, 2016 CVE-2016-2112: The LDAP client and server don t enforce integrity protection Found in November 2015 Fix released on April 12, 2016 CVE-2016-2113: Missing TLS certificate validation Noticed in November 2015 Fix released on April 12, 2016 CVE-2016-2114: server signing = mandatory not enforced Noticed in November 2015 Fix released on April 12, 2016 CVE-2016-2115: SMB client IPC traffic is not protected Noticed in November 2015 Fix released on April 12, 2016

Stefan Metzmacher Badlock (6/25) History (Part 4) CVE-2015-7560: Setting ACLs on symlinks changes target Reported on December 23, 2015 Fix released on March 8, 2016 CVE-2016-0771: Read of uninitialized memory DNS TXT handling Reported on January 22, 2016 Fix released on March 8, 2016 Release of the first bunch of CVEs on December 23, 2015 We tried to get as much as possible out of our way Release of the second bunch of newly found CVEs on March 8, 2015 We knew the third bunch was going to be huge, so we released everything that was ready to ship Release of the third bunch of man in the middle related CVEs on April 12, 2015 This was a very huge release including a lot of rewritten code and new options resp. behavior changes

Stefan Metzmacher Badlock (7/25) CVE-2015-5370: Multiple errors in DCE-RPC code The first denial of service problem was found at an interop event by Jouni Knuutinen from Synopsys Jeremy Allison did the initial research While reviewing the initial patches the nightmare begun I found new problems day after day About 20 problem classes (mostly denial of service and man in the middle) Distributed over 4 DCERPC implemtations (2 servers, 2 clients) I analysed these problems deeply together with Günther Deschner At the end I had 94 patches including an almost complete DCERPC protocol verification testsuite

Stefan Metzmacher Badlock (8/25) CVE-2016-2118: Badlock (Part 1) While thinking about the CVE-2015-5370 patches I thought about possible related problems After a while I found that the DCERPC auth level can be downgraded and nasty things can be done with it My first finding was limited to clients using ncacn ip tcp with SAMR I created a man in the middle exploit that got the full AD database including all secret keys while joining a Windows DC into a Windows domain NOTE THIS IS A FULL TAKEOVER: information leak and remote code execution on all domain member computers (maybe also in trusted domains) The attacker only need see the clients network traffic I guess it s really not that unlikely that someone might find exploits for unpatched router firmware Jeremy and I reported this to secure@microsoft.com on July 31, 2015

Stefan Metzmacher Badlock (9/25) CVE-2016-2118: Badlock (Part 2) After thinking a bit more I finally realized that the problem is even worse It is not limited to a join of a new Windows DC Every login as an administrator can be used by an attacker It is not limited to just Windows domains, also Samba domains are affected The problem is a generic to DCERPC over unprotected transports like ncacn ip tcp or ncacn np (without SMB signing) Some application layer protocols (e.g. DRSUAPI) only allow secure connections using integrity or privacy protection Samba was missing most of these checks which were already available on Windows

Stefan Metzmacher Badlock (10/25) CVE-2016-2110: Man in the middle attacks with NTLMSSP While working on CVE-2015-5370 and CVE-2016-2118 I thought a complete audit of all protocols was required After a while I found that NTLMSSP flags, e.g. NTLMSSP SIGN/SEAL can be removed by a man in the middle without noticing This has implication on encrypted LDAP traffic A bit of research revealed that Microsoft already implemented downgrade detection into NTLMSSP when using NTLMv2 I decided to implement the same in Samba in order to improve NTLMSSP authenticated connections

Stefan Metzmacher Badlock (11/25) CVE-2016-2111: NETLOGON Spoofing Vulnerability While researching about CVE-2016-2110 I found Microsofts CVE-2015-0005 NETLOGON Spoofing Vulnerability The problem with this was that any domain member was able to ask the domain controller for NTLM session keys of authentication sessions of all other domain members. The protection mechanism relies on NTLMv2 being used only via NTLMSSP During the research it turned out that the problem in Samba were even worse Anonymous attackers could ask for the session keys raw NTLMv2 was allowed without NTLMSSP wrapping, which allowed downgrade attacks

Stefan Metzmacher Badlock (12/25) CVE-2016-2112: LDAP integrity protection is not enforced Fixing the specific NTLMSSP based problems of CVE-2016-2110 is not enough The LDAP client and server also need to verify the authentication (gensec) backend provides the requested features This is required in order to prevent Kerberos replay attacks It was required to fix these things in the LDAP server as well as in our two LDAP client libraries At the same time we improved the consistency of behaviors especially regarding the usage of configuration options The default behavior of the LDAP server is much stricter than before

Stefan Metzmacher Badlock (13/25) CVE-2016-2113: Missing TLS certificate validation While analyzing CVE-2016-2110 and CVE-2016-2112, I realized that we don t do any certificate validation This applies to all TLS based protocols like ldaps:// and ncacn http with https:// For ldaps:// it only applies to tools like samba-tool, ldbsearch, ldbedit and other ldb tools Typically, these protocols are not used, but if someone does use them they are expected to be protected So (as a client) we now verify the server certificates as much as we can

Stefan Metzmacher Badlock (14/25) CVE-2016-2114: server signing = mandatory not enforced While working on CVE-2015-5370 and CVE-2016-2118 I thought a complete audit of all protocols was required As all unprotected DCERPC transports are vulnerable to man in the middle attacks it was clear that SMB signing is important It turned out that we didn t require SMB signing even if we are configured with mandatory signing This is fixed now As an active directory domain controller we require signing by default now

Stefan Metzmacher Badlock (15/25) CVE-2015-2115: SMB IPC traffic is not integrity protected While working on CVE-2015-5370 and CVE-2016-2118 I thought a complete audit of all protocols was required As all unprotected DCERPC transports are vulnerable to man in the middle attacks it was clear that SMB signing is important We can t change the default of client signing and client max protocol in a security release, because of performance reasons We try to use SMB3 and required signing for IPC$ related SMB client connections, which are used as a DCERPC transport

Stefan Metzmacher Badlock (16/25) New options In order to prevent the man in the middle attacks it was required to change the (default) behavior for some protocols. New smb.conf options: allow dcerpc auth level connect (G) client ipc signing (G) client ipc max protocol (G) client ipc min protocol (G) ldap server require strong auth (G) raw NTLMv2 auth (G) tls verify peer (G) tls priority (G) (backported from Samba 4.3 to Samba 4.2)

Stefan Metzmacher Badlock (17/25) Behavior changes In order to prevent the man in the middle attacks it was required to change the (default) behavior for some protocols. Change behaviors: The default auth level for ncacn ip tcp: bindings has changed to DCERPC AUTH LEVEL INTEGRITY. client lanman auth = yes is now required for LANMAN2 connections client ntlmv2 auth = yes and client use spnego = yes require SPNEGO client ldap sasl wrapping is now used for all LDAP client code

Stefan Metzmacher Badlock (18/25) Coordination with Microsoft After a face to face meeting in Redmond in September I had regular phone calls with them I proposed a very simple change for the urgent (badlock) problem We also discussed some more advanced changes, but they didn t pass Windows regression tests and were therefore postponed In order to get the most important fixes out of the door we agreed on April 12, 2016 as target release date We have planed to continue the discussion regarding more advanced solutions and improved protocol hardening once we re (or at least I m) fully recoverd

Coordination with Vendors (Part 1) As the Samba Team we only have resources to provide security fixes for 3 maintained branches (currently 4.4, 4.3 and 4.2) 4.4.2 had 323 patches on top of 4.4.0 (note that 4.4.1 had a regression and was superseeded by 4.4.2) samba-4.4.0-security-2016-04-12-final.patch 227 files changed, 14582 insertions(+), 5037 deletions(-) 4.3.8 had 352 patches on top of 4.3.6 (note that 4.3.7 had a regression and was superseeded by 4.3.8) samba-4.3.6-security-2016-04-12-final.patch 236 files changed, 14870 insertions(+), 5195 deletions(-) 4.2.11 had 440 patches on top of 4.2.9 (note that 4.2.10 had a regression and was superseeded by 4.2.11) samba-4.2.9-security-2016-04-12-final.patch 319 files changed, 17636 insertions(+), 7506 deletions(-) Given huge amount of changes we (at SerNet) thought it would be good think to inform the public about the target release date http://badlock.org was created in order to provide a central location for information Stefan Metzmacher Badlock (19/25)

Stefan Metzmacher Badlock (20/25) Coordination with Vendors (Part 2) Vendors shipping Samba as part of their product get early access to security patches and releases They need to prepare binary packages and maybe backport patches This time backport patches for the most critical parts in older branches were mostly done by Ralph Böhme, Andreas Schneider and Günther Deschner samba-v4-0-security-2016-04-12-fileserver-only.patch 70 files changed, 3145 insertions(+), 540 deletions(-) samba-v3-6-security-2016-04-12.patch 95 files changed, 4007 insertions(+), 978 deletions(-) Jeremy Allision also notified other non-samba vendors, with their own SMB/DCERPC implementation, e.g. Apple, EMC, NetApp, Oracle, Nexenta and Huawei. Given the impact of these bugs we avoided plaintext email or bugzilla comments until the release day

Stefan Metzmacher Badlock (21/25) The final sprint I spend about 3 person months on security problems between June 2015 and February 2016 Mostly alone, but also with a lot of help from Günther Deschner (who reviewed every single patch of the April 12, 2016 releases carefully) I somehow managed to work 2 person months during March 2016 The aim was to get the patches to our vendors as fast as possible and be ready 3 weeks before the release But it took a bit longer than expected and the patches (for the upstream releases) were ready and reviewed 12 days before the public release The public release date announcement was able to finally get the interest of more Samba-Team members (and their employers) This was important in order to get as much regression testing as possible It was a time with a lot of intense team work and a lot of conference calls

Stefan Metzmacher Badlock (22/25) Regressions In Samba we have testsuite called autobuild with several thousand tests This runs before each push to the public branches Using private autobuilds prevented a lot of bad supprises We had a lot of testing the Redhat, SuSE and SerNet QA teams Which also found some regressions before the final release Although we had so much testing we had some regressions in the April 12, 2016 releases They were mostly regarding guest access with NTLMSSP against Samba and Apple clients and servers In some scenarios the communication with the domain controller was broken These were fixed on May 2, 2016 A few days ago we got the bug reports of ntlm auth crashes We already have a fix for one issue (bug #11912) We are still debugging the other one (bug #11914)

Stefan Metzmacher Badlock (23/25) Future Improvements I have ideas how improve the DCERPC security in a generic way This needs to be done in a backward compabible way in order to avoid breaking existing implementatins These ideas will be discussed with Microsoft We plan to do further protocol hardening in Samba Disable NTLMv1 by default for the next major release Add ways to disable NTLMSSP completely Add support for Kerberos FAST This is available in Windows 2012 (maybe R2) domains It protects the password based Kerberos authentication using the much more secure machine password We ll always search for new ways to improve the security of Samba

Stefan Metzmacher Badlock (24/25) Thanks! People who helped out: Günther Deschner Andreas Schneider Ralph Böhme Jeremy Allison Andrew Bartlett Alexander Bokovoy Michael Adam Others

Stefan Metzmacher Badlock (25/25) Questions? http://badlock.org/ https://www.samba.org/samba/history/security.html https://www.samba.org/samba/latest news.html#4.4.2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback