BadLock Sadlock Bug

On April 12th, 2016, an over-hyped security bug was released: BadLock Sadlock.

Engineers and marketers worked together for 3 weeks to get this problem fixed solved marketed.


I'm running Samba 4.1 and below, will it get patched?

Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to open these systems to the internet for increased visibility. While there will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for Enterprise SAMBA) some vendors probably will backport patches at a similar cost required to support Windows XP security updates.

Is there a CVE for Sadlock?

Yes. Sadlock has an assigned CVE, but you should probably focus on more important ones like those that have RCE.

Why announce Badlock before April 12th, 2016?

The main goal of this announcement was to brag about some shitty vulnerability found by the same fucking guy who wrote the code. Also, we like wasting sys admins time, along with everyone else in the community. We also thought that we could ride the hype of Heartbleed by using their template, but we know how that turned out. On the bright side, we might get an award for all this.

Yet Another Bug With A Logo?

Yes, and a website. We were hoping to get a Norse pew pew map to really drive home this super 1337 exploit and vuln we found, but for some reason we couldn't get a hold of our Norse contact. Maybe that person was on vacation.

Who found the Sadlock Bug?

Sadlock was discovered by a Samba Dev (who shall remain nameless here, but everyone knows). Great job bro, you effectively and single handedly wasted a shit ton of everyone's time.

Where to find more information?

At this time you may want to search #sadlock on twitter, as #badlock seems to have been abandoned.

This page get updates irregularly. Please don't come back for more information.

How should we deal with this overhyped bug?

Nominate it for a Pwnie Award! (Starting June 1st, 2016)

Copyright (C) 2016, shamelessly stolen from Sorry, not sorry.