CVE-2016-0128
published 2016-04-12CVE-2016-0128: The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012…
PriorityP343medium6.8CVSS 3.1
AVNACHPRNUIRSUCHIHAN
EPSS
20.88%
97.2th percentile
The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability involves a man-in-the-middle attack that forces a downgrade of the authentication level on the SAM and LSAD RPC channels — monitor for anomalous RPC channel establishment attempts targeting SAM (MS-SAMR) and LSAD (MS-LSAD) remote protocols with reduced authentication levels. ↗
- →Only SAM and LSAD remote protocol traffic is affected, not SMB — focus detection on MS-SAMR and MS-LSAD RPC traffic rather than generic SMB traffic. ↗
- →Nessus plugin 90510 provides an uncredentialed (remote) check for MS16-047 / CVE-2016-0128 — use this for network-based detection of unpatched Windows systems. ↗
- →Nessus plugin 90440 provides a credentialed local check for MS16-047 (KB3148527) on Windows — use to identify unpatched Windows hosts. ↗
- →Attack can permit viewing or modifying secrets within an AD database, including user password hashes — monitor for unexpected reads of the SAM database or NTDS.dit access patterns. ↗
- ·The vulnerability affects SAM and LSAD remote protocol RPC channel establishment — the root cause is acceptance of authentication levels that do not adequately protect the channel, not the SMB protocol itself. ↗
- ·Affected Samba versions span a wide range (3.6.x through 4.4.0); patched versions are 4.2.10+, 4.3.7+, and 4.4.1+ — ensure version checks in detection rules cover all listed affected branches. ↗
- ·Exploit status is publicly disclosed but not yet exploited in the wild at time of advisory — exploitation assessed as unlikely for both latest and older software releases. ↗
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_msrc6.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows SAM and LSAD Downgrade Vulnerability
vendor_msrc·2016-04-12·CVSS 6.8
CVE-2016-0128 [MEDIUM] Windows SAM and LSAD Downgrade Vulnerability
Windows SAM and LSAD Downgrade Vulnerability
Description: An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect them adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.
To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user.
The security update addresses the vulnerability by modifying how the SAM and LSA
GHSA
GHSA-3mv9-ggpf-rmx9: The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13
CVE-2016-0128 [MEDIUM] GHSA-3mv9-ggpf-rmx9: The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."
No detection rules found.
No public exploits indexed.
Tenable
Badlock or Sadlock?
blogs_tenable·2016-04-14·CVSS 6.8
CVE-2016-2118 [MEDIUM] Badlock or Sadlock?
Blog /
Subscribe
# Badlock or Sadlock?
Kelly Prevett
April 14, 2016
3 Min Read
No matter which name you prefer, Badlock or Sadlock, for the recently disclosed CVE-2016-2118 (SAMR and LSA man-in-the-middle attacks possible) and for Windows by CVE-2016-0128/MS16-047 (Windows SAM and LSAD Downgrade Vulnerability) Tenable has you covered. Nessus®, SecurityCenter™, SecurityCenter CV™, or Passive Vulnerability Scanner™, Tenable can determine if you are at risk.
According to Badlock.org, the security vulnerabilities can be mostly categorized as man-in-the-middle or denial-of-service (DoS) attacks. These would permit execution of arbitrary Samba network calls using the context of the intercepted user, such as the ability to view or modify secrets within an AD database, including user passwor
Tenable
Badlock or Sadlock?
blogs_tenable·2016-04-14
Badlock or Sadlock?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2016-4323 pidgin: MXIT Splash Image Arbitrary File Overwrite Vulnerability
bugzilla·2016-06-22·CVSS 3.7
CVE-2016-4323 [LOW] CVE-2016-4323 pidgin: MXIT Splash Image Arbitrary File Overwrite Vulnerability
CVE-2016-4323 pidgin: MXIT Splash Image Arbitrary File Overwrite Vulnerability
A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.
External references:
http://www.talosintel.com/reports/TALOS-2016-0128/
http://www.pidgin.im/news/security/?id=97
Bugzilla
CVE-2016-0737 openstack-swift: Client to proxy DoS through Large Objects
bugzilla·2016-01-15·CVSS 7.5
CVE-2016-0737 [HIGH] CVE-2016-0737 openstack-swift: Client to proxy DoS through Large Objects
CVE-2016-0737 openstack-swift: Client to proxy DoS through Large Objects
A DoS vulnerability in openstack-swift was reported. By repeatedly requesting and interrupting connections to a Large Object (Dynamic or Static) URL, a remote attacker may exhausts Swift proxy-server resources, potentially resulting in a denial of service.
Affects versions: >=2.2.1 <= 2.3.0
Upstream patch:
https://review.openstack.org/#/c/217750/
There are similar bugs CVE-2016-0737 and CVE-2016-0738. This (CVE-2016-0737) is for client to proxy connection.
Discussion:
Created openstack-swift tracking bugs for this issue:
Affects: fedora-all [bug 1300608]
---
This issue is now public.
---
This issue has been addressed in the following products:
OpenStack 6 for RHEL 7
Via RHSA-2016:0128 https://rhn.redhat.
http://badlock.org/http://www.securitytracker.com/id/1035534https://bto.bluecoat.com/security-advisory/sa122https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-047https://www.kb.cert.org/vuls/id/813296https://www.samba.org/samba/security/CVE-2016-2118.htmlhttp://badlock.org/http://www.securitytracker.com/id/1035534https://bto.bluecoat.com/security-advisory/sa122https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-047https://www.kb.cert.org/vuls/id/813296https://www.samba.org/samba/security/CVE-2016-2118.html
2016-04-12
Published