cbcvebase.
CVE-2016-0128
published 2016-04-12

CVE-2016-0128: The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012…

PriorityP343medium6.8CVSS 3.1
AVNACHPRNUIRSUCHIHAN
EPSS
20.88%
97.2th percentile
The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability involves a man-in-the-middle attack that forces a downgrade of the authentication level on the SAM and LSAD RPC channels — monitor for anomalous RPC channel establishment attempts targeting SAM (MS-SAMR) and LSAD (MS-LSAD) remote protocols with reduced authentication levels.
  • Only SAM and LSAD remote protocol traffic is affected, not SMB — focus detection on MS-SAMR and MS-LSAD RPC traffic rather than generic SMB traffic.
  • Nessus plugin 90510 provides an uncredentialed (remote) check for MS16-047 / CVE-2016-0128 — use this for network-based detection of unpatched Windows systems.
  • Nessus plugin 90440 provides a credentialed local check for MS16-047 (KB3148527) on Windows — use to identify unpatched Windows hosts.
  • Attack can permit viewing or modifying secrets within an AD database, including user password hashes — monitor for unexpected reads of the SAM database or NTDS.dit access patterns.
  • ·The vulnerability affects SAM and LSAD remote protocol RPC channel establishment — the root cause is acceptance of authentication levels that do not adequately protect the channel, not the SMB protocol itself.
  • ·Affected Samba versions span a wide range (3.6.x through 4.4.0); patched versions are 4.2.10+, 4.3.7+, and 4.4.1+ — ensure version checks in detection rules cover all listed affected branches.
  • ·Exploit status is publicly disclosed but not yet exploited in the wild at time of advisory — exploitation assessed as unlikely for both latest and older software releases.

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_msrc6.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.