Reference: CERT-EU Security Advisory 2016-123 Title: Badlock Bug in Windows and Samba Version history: 13/04/2016 Initial publication. Summary: ======== On April 12th, 2016 Badlock, a crucial security bug [1] in Windows and Samba was disclosed. Badlock for Samba [2] is referenced by CVE-2016-2118 [3] (SAMR and LSA man in the middle attacks possible) and for Windows by CVE-2016-0128 / MS16-047 [4] (Windows SAM and LSAD Downgrade Vulnerability). The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks. Products Affected: ================== Affected versions of Samba are: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, 4.4.0. Earlier versions have not been assessed. Recommendations: =============== Please apply the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+ immediately [5]. Further improvements after patching are suggested [1]. References: ========== [1] http://badlock.org/ [2] https://www.samba.org/samba/ [3] https://www.samba.org/samba/security/CVE-2016-2118.html [4] https://technet.microsoft.com/library/security/MS16-047 [5] https://www.samba.org/samba/history/security.html Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html