cbcvebase.
CVE-2016-2118
published 2016-04-12

CVE-2016-2118: The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections…

PriorityP355high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
36.93%
98.3th percentile
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiansamba< samba 2:4.3.7+dfsg-1 (bookworm)samba 2:4.3.7+dfsg-1 (bookworm)
sambasamba>= 0 < 2:4.3.7+dfsg-12:4.3.7+dfsg-1
sambasamba>= 0 < 2:4.3.7+dfsg-12:4.3.7+dfsg-1
sambasamba>= 0 < 2:4.3.7+dfsg-12:4.3.7+dfsg-1
sambasamba>= 0 < 2:4.3.7+dfsg-12:4.3.7+dfsg-1
sambasamba>= 0 < 2:4.3.9+dfsg-0ubuntu0.14.04.12:4.3.9+dfsg-0ubuntu0.14.04.1
sambasamba>= 0 < 2:4.3.8+dfsg-0ubuntu0.14.04.22:4.3.8+dfsg-0ubuntu0.14.04.2
sambasamba>= 0 < 2:4.3.9+dfsg-0ubuntu0.14.04.32:4.3.9+dfsg-0ubuntu0.14.04.3
sambasamba>= 0 < 2:4.3.9+dfsg-0ubuntu0.16.04.12:4.3.9+dfsg-0ubuntu0.16.04.1
sambasamba>= 0 < 2:4.3.9+dfsg-0ubuntu0.16.04.22:4.3.9+dfsg-0ubuntu0.16.04.2
sambasamba>= 3.6.0 < 4.2.104.2.10
sambasamba>= 4.3.0 < 4.3.74.3.7
sambasamba>= 4.4.0 < 4.4.14.4.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect Badlock by identifying Samba versions in the affected range: 3.6.x, 4.0.x, 4.1.x, 4.2.0–4.2.9, 4.3.0–4.3.6, 4.4.0 via local or remote version checks (Nessus plugin 90508/90509)
  • Use Nessus plugin 90509 ('Samba Badlock Vulnerability') for an uncredentialed/remote detection of CVE-2016-2118 on Samba hosts
  • Use Nessus plugin 90510 for uncredentialed remote detection of the Windows-side Badlock vulnerability (MS16-047 / CVE-2016-0128)
  • Monitor DCE/RPC connections to SAMR and LSA services; any authenticated DCE/RPC connection can be hijacked by a MitM attacker to impersonate the user against those services
  • Alert on protocol-downgrade patterns in DCERPC traffic between clients and Samba/Windows servers handling MS-SAMR or MS-LSAD; modification of the client-server data stream is the attack vector
  • Use LCE/PVS (Nessus Network Monitor) plugin 801967 for passive network-based detection of Badlock-vulnerable Samba versions
  • ·The vulnerability requires an attacker to already be positioned as a man-in-the-middle on the network; it is not directly exploitable without intercepting an active authenticated DCE/RPC session
  • ·Both Samba (CVE-2016-2118) and Windows (CVE-2016-0128 / MS16-047) are affected; detection and patching must cover both platforms in mixed environments
  • ·Successful exploitation grants read/write access to the Security Account Manager database, potentially exposing all password hashes; scope of impact is very high if exploited

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.