A storm is coming: Get ready for “Badlock” Windows/Samba vulnerability

Hello Security Ninjas,

badlockSomething exploitable this way comes. It appears that a new, high impact vulnerability is set to be unleashed upon the cyber world on April 12th. Of course no high impact vulnerability would be complete without its own logo and website at The vulnerability affects Windows and Samba and according to the researchers who discovered it, “we are pretty sure that there will be exploits soon after we publish all relevant information.”

The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team, working at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem. As mentioned on the website a patch will be made available on April 12th and all sysadmins should “get ready to patch all systems on this day.” Unfortunately nobody knows just how bad this vulnerability really is, and we won’t know until the patch is released.

Identification of systems that could be affected by this vulnerability is a critical first step – one that can be done before the actual patch is released and vulnerability exposed.  At this point all we know about Badlock is that it affects Windows and Samba, so the obvious culprit is the SMB protocol.

A quick search on SHODAN shows that there are many systems out there that are publicly available and offer an SMB Service.

Shodan-SMB Ports

The Server Message Block (SMB) Protocol is a file sharing protocol, implemented in Microsoft Windows as “Microsoft SMB Protocol”. In the OSI networking model, Microsoft SMB Protocol is most often used as an application layer or a presentation layer protocol, and it relies on lower-level protocols for transport. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available in several versions of Unix and other operating systems. So, as this affects both Windows and Linux/Unix, the impact could be substantial and will not be limited to traditional operating systems, but also network appliances and even potentially IoT devices (medical, industrial etc).

“A storm is coming and just like when a hurricane is about to hit, there are things you should do to prepare for it.”

We know the day the patch will be released and vulnerability exposed, so security and IT teams may want to plan accordingly in terms of staffing and other resources. Ken Westin from Splunk’s Security Team has sat down to share some preparation recommendations for you:

1. Identify and report on potentially affected systems

Running penetration tests and vulnerability scans from the outside to identify SMB services that may be exposed (e.g. Running on ports 135, 139 and 445) might be a good idea as well. In addition, as this vulnerability affects SMB, there is the possibility that any exploit could be wormable, so blocking these ports at the firewall level for both ingress and egress would be a good idea if such a policy is not already in place.

Most commercial Vulnerability Management tools will have content available within 24 hours to detect the vulnerability, for example Qualys, Tripwire IP360 and Tenable Nessus. Now would be a good time for organizations to ensure their VM systems are functional and all assets discoverable. These tools will ingest data that can be used by Enterprise Security Vulnerability Center where they will be able to identify systems that are vulnerable and/or unpatched.

Organizations should then also identify subnets or systems that may not be reachable by these scans, or devices that may either not have patches released (Windows XP), or that may not be patchable. One possible concern would be storage appliances.

For those that do not have Splunk Enterprise Security or integrated VM, they can use Splunk for Asset Discovery and can run reports on SMB ports (some of the scans need to be run as root).

2. Ensure visibility into traffic and attacks arriving at the potentially affected systems

Historical vulnerabilities have shown us that having data available that reveals connections from/to the vulnerable systems is critical to identify and scope if you have been targeted previously, or to identify if any anomalous host or IP is communicating with the vulnerable system. Also, having IDS/IPS information available that shows potential attacks is critical. Once the vulnerability is released most IDS/IPS vendors will have signatures available to detect potential targets quickly, so monitoring which systems are the first being targeted with new exploits in your environment can help prioritize them accordingly in the patching process. If you can’t get visibility through switches, network firewalls or endpoint firewalls into those devices, you can get additional visibility through network security tools such as Splunk Stream and Bro.

As the vulnerability affects SMB it would be a good idea to enable auditing of this service as well. Like file auditing, the Splunk Windows TA is your friend. Also the SMB service contains authentication services – that might be also be good data to have visibility into.

3. Operationalize information about BadLock in your environment

Now that you have visibility into your systems and knowledge regarding which systems support SMB, you can prepare a BadLock Operational Dashboard which will help you on the 12th of April and beyond.

How many Systems are vulnerable?

Vulnerable Systems

Take the data and create a single count of vulnerable systems. To start you can count all systems with SMB Service exposed. Once the vulnerability is released, you can then narrow it down to the information from your first vulnerability scan. Through periodic scans and the patch cycle that number should go down (depending on how fast you patch).


Attack History

Attack History

Once more information is available on how you can spot exploits that utilize the vulnerability, you can report with a time chart of attacks that are seen. This could be triggered IDS/IPS signatures, for example.

Top systems that are under attack

Top Systems

Create a table which shows the systems that are under attack. You might use sparkle lines to visualize the attacks against those systems over time.

Real-time IDS alert feed

Create a real-time table that displays _time, src, destination, signature and other relevant information as well as a lookup to visualize with a red X or a green checkmark if the attack was against a patched or unpatched system.

Create a map that visualizes exploits and where they come from

Create a real-time map that visualizes from which external IPs exploits try to knock on your door. You’ll be amazed when you see geo location specific attacks over time based on time shifts.

Bildschirmfoto 2016-03-24 um 10.21.04

Vulnerable systems vs. attacks

Vulnerable Systems vs Attacks

Create a two dimensional chart which displays the count of attacks against how many vulnerable systems over time. This shows you nicely how quick you are with patching and how long attackers need until the first exploits are written, ready and hit your environment. This would be the most impressive dashboard to show to management from my perspective. You make the risk visible to your management if you are fast with patching and attacks arrive afterwards to already patched systems.

Putting it all together:

Heart bleed Status Dashboard from NASDAQ.


All the best,


Matthias Maier
Posted by Matthias Maier

Matthias Maier is Product Marketing Manager at Splunk. Matthias is a technical evangelist for Splunk in EMEA and is responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation.

Join the Discussion