|
|
Subscribe / Log in / New account

How Badlock was discovered and fixed

[Posted April 18, 2016 by corbet]

This post on the Red Hat Enterprise Linux blog describes the discovery and repair of the "Badlock" vulnerability. One begins to understand a little better why it took as long as it did. "The code was rewritten; in March 2016 the changes needed to fix all eight CVEs amounted to about 200 individual patches against a development version of Samba, with about half of those responsible for fixing CVE-2015-5370. When backported to previous stable Samba versions, they needed additional hundred patches. To oldest supported Samba version — about four hundred patches. What started as an individual snowflake became an avalanche but it wasn’t finished yet."
to post comments

How Badlock was discovered and fixed

Posted Apr 18, 2016 16:43 UTC (Mon) by epa (subscriber, #39769) [Link] (6 responses)

What struck me is that between the bug's discovery and the publicized fix, the Samba 4.1 branch was discontinued for security updates. Did the noise about 'Badlock' before the public disclosure include a strong warning to upgrade from Samba 4.1 in advance so that you wouldn't be left with an unfixed version?

How Badlock was discovered and fixed

Posted Apr 18, 2016 17:44 UTC (Mon) by ab (subscriber, #788) [Link] (5 responses)

https://wiki.samba.org/index.php/Samba_Release_Planning has all the details on how Samba releases are planned and supported.

A strong warning that 4.1.0 is going to be discontinued was given in November 2015 when Samba Team announced that major releases would be shipped every 6 months instead of 9 months. Samba 4.4.0 was originally planned to be released on March 8th 2016. Samba 4.4.0rc1 was released January 27th 2016, it took five release candidates to have 4.4.0 released, with two weeks delay, on March 22nd.

How Badlock was discovered and fixed

Posted Apr 18, 2016 19:26 UTC (Mon) by epa (subscriber, #39769) [Link] (4 responses)

Yes, there was the usual planned schedule of taking older releases out of maintenance. What I would have expected, given the hullabaloo about announcing the existence of the bug several weeks in advance, is some explicit reminder that Samba 4.1 users should upgrade to a supported version immediately in order to be ready for the fix when it comes. That would have been something useful to publicize.

You may say that the discontinuation of security updates for older versions is a matter of course, and something all Samba deployments should bear in mind anyway, but that is equally true in principle of all security practices, including the release of urgent patches for newly disclosed vulnerabilities. So what then is the point of a website unveiled several weeks ahead with scant details, apart from generating publicity for the researchers? If it is to 'raise awareness', then the imminent dropping of support for an older but vulnerable release is about the most important thing to raise awareness of, at least for the Samba side.

How Badlock was discovered and fixed

Posted Apr 19, 2016 5:02 UTC (Tue) by ab (subscriber, #788) [Link] (3 responses)

These are questions to SerNet as a company. They created the website, not Samba Team. It was already stated multiple times that Samba Team is not supporting neither this practice of advertising nor bragging about the vulnerability on social networks.

However, when the publicizing has had happened, we had to deal with the fact it was there. When we were faced with the public announcement, recommendation was made to users by Andrew Bartlett: https://lists.samba.org/archive/samba/2016-March/198526.html

What I find strange is that people who pretend they are on higher moral ground spent no time on investigating what was done. This is not related to your questions here, they just reminded me what I saw in these three weeks, including incredible attempt to plant a thought of conspiracy by certain folks over reddit.

How Badlock was discovered and fixed

Posted Apr 19, 2016 5:58 UTC (Tue) by epa (subscriber, #39769) [Link] (1 responses)

Ah, I see, I had assumed the 'Badlock' website was somehow co-written with the Samba developers and possibly Microsoft. My bad. As you say, there was an explicit reminder to move off 4.1 in time.

How Badlock was discovered and fixed

Posted Apr 19, 2016 21:54 UTC (Tue) by rahvin (guest, #16953) [Link]

From what I've seen of the excessively polite comments from the Samba Team this publicity was not appreciated and actually complicated their effort. But that's just my outside view. There have been a few not so polite comments made but for the most part they've done a good job staying nice in a bad situation where they took the blame for something they didn't even do. Your comment is evidence of how default it was to assume Samba was responsible for the website and PI campaign.

I can't imagine how much flack they caught off the public channels.

How Badlock was discovered and fixed

Posted Apr 19, 2016 7:39 UTC (Tue) by voltagex (guest, #86296) [Link]

I see this more and more, especially on Reddit and HackerNews. There's no reading of source (easy) or reverse engineering (harder) when extraordinary claims are made.


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds