NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
No access to shares after disabling SMB1 as recommended by Microsoft
Hi everyone, in view of the latest WannaCry/Crypt attack on 12 May 2017, Microsoft recommended to patch my Windows 10 OS and disable SMB 1.0/CIFS File Sharing Support. Check this link: ht...
On RAIDiator 4.1 and RAIDiator 5.3, they use versions of Samba that do not support SMB2. You will need to use the Windows tricks to re-enable SMB1 support.
On RAIDiator 4.2, it can support SMB2 but you may experience a performance hit that you could find unacceptable.
We can see about creating an unofficial add-on for RAIDiator 4.2 boxes that you can use at your own risk to be use SMB2. These devices were not meant to run SMB2 though. All of the RAIDiator boxes are older than 5 years. It might be time for an upgrade.
If you are really concerned, you can unofficially upgrade most RAIDiator 4.2 boxes to OS 6 at the risk of factory defaulting your NAS and putting your data back onto the volumes. Alternatively, you can upgrade to a newer ReadyNAS and use the old ReadyNAS as a backup (always smart to have multiple backups, which eliminates single point of failure).
tpcr wrote:
It appears to me that SMB Plus does not work, because no matter how that is set the ReadyNAS still only usis SMB1/CIFS.
SMB Plus only lets the NAS disable SMB 3 or SMB 2 - it doesn't let you disable SMB1.
But in my testing, I confirmed that I can access my OS 6 NAS when I disable SMB1 in my PC.
tpcr wrote:
What I meant when I stated 'Run', was I can get to the NAS with a direct connection in the runbox. ie \\192.168.1.28\MyShare works fine,
Issue is the shares will not show in the network workgroup list. In my case it actually hangs when I try to list the network shares.
That says you proved you can access the NAS w/o SMB1 too. Shortcuts, mapped drives, Network locations all would work. Your issue might be related to the computer browser issue I quoted above (and sounds more like a Windows issue than a NAS issue)..
As I noted, I turned off SMB1 on Win-7. I can do the same on Win10 easily enough - I'll see if I can duplicate your hang.
Regardless of the SMB Plus setting, I still can only get the share listings if I enable SMB1 in Windows 10. Also, when MS totally disables SMB1, that will also remove the computer browser service, which only uses SMB1/CIFS.
The reason I say this is a Netgear issue is because I do not have this issue with my FreeNAS device where I can disable SMB1.
Make sure if you are testing with Win10, use the latest public release 1703-15063
Also, SMB Plus sets the maximum protocol version to use, not the minimum, so you cannot turn off SMB1/CIFS. I believe that is why I have this problem. The ReadyNAS communicates with SMB1 and when SMB1 is turned off in Windows it still sees the SMB1 protocol and hangs on it. Yes this is a Windows issue. I think when you disable SMB1, the driver is disabled, but Windows is still tring to use SMB1 for directory browsing and hangs because that is the protocol coming from the ReadyNAS. When you do a direct access to the network share it uses the proper SMB2/3 protocol.
So to fix this problem, you would either have to disable SMB1 from the ReadyNAS, or fix the bug in Windows, which I have reported. Over and over again to MS. Do a search for SMB issues in the feedback hub, you will see a lot of them.
tpcr wrote:
Regardless of the SMB Plus setting, I still can only get the share listings if I enable SMB1 in Windows 10. Also, when MS totally disables SMB1, that will also remove the computer browser service, which only uses SMB1/CIFS.
.
My win10 system is running version 1607 (build 14393-1358), and turning off SMB1 causes no problem with my OS 6 NAS - I could see the share list with no problem. Accessing my pro-6 share list failed (as expected). No changes were made with SMB Plus
I know my cb isn't the same as yours, but both were updated on 13 June 2017.
If I have a chance, I will try manually updating to Windows Creator and see if I get your results. Perhaps some other OS-6 folks can also test this.
StephenB wrote:
If I have a chance, I will try manually updating to Windows Creator and see if I get your results. Perhaps some other OS-6 folks can also test this.
I upgraded that system to Windows 10 version 1703 (15063.413) and I am getting exactly the same results.
-with the SMB1 client enabled: I can access my OS 4.2 pro and OS 6 NAS. \\nas-ip-address shows me their share lists
-with the SMB1 client disabled: My OS 6 NAS remain accessible, and \\nas-ip-address continues to show me their share lists. My 4.2 Pro becomes not accessible.
So I can't reproduce your results. I do have NAS credentials saved in the windows credentials manager - do you?
The SMB1 vulnerability is on the SERVER side. You can disable it on the client all you like, but if the SERVER is accepting SMB1 requests, you may be vulnerable. There *is* a setting to add to smb.conf to properly disable the vulnerable call (it relates to netlogin), but it absolutely does disable most clients' ability to browse shares on the server.
So I would ask... do these later 6.7.4 and 6.7.5 builds properly disable SMBv1 or at least patch related vulns so that SMBv1 may remain enabled without worry?
Certainly for newer OS releases/builds lack of SMBv1 client side support will be an issue for ROS versions not supporting SMBv2 or higher... but just wanted to put this data point out there. Disabling SMBv1 on client doesn't protect your NAS/server.
btaroli wrote:
The SMB1 vulnerability is on the SERVER side.
I think it's important to be clear on what the threats are. The remote code execution vulnerability in SAMBA has been patched.
The inherent vulnerablities in the SMB1 protocol itself are
- subject to security downgrade attacks
- subject to man-in-the-middle attacks
- MD5 message signing is too weak.
All of these are unacceptable in a modern internet protocol, and many enterprises will also find them unacceptable in their enterprise networks.
But the risks on a small home network are much less, and (for now at least) I am comfortable taking them. If you allow anonymous access to your shares (which is the default) none of the threats above really apply to you anyway - the door to your NAS is already wide open.
That said, I agree that customers do need the ability to disable SMB1 on ReadyNAS that support SMB 2 or better.
I don't disagree with that assessment. But it will happen that folks have vectors on their network that could attack the NAS (Windows machines) and/or people may choose to (dangerously, in my opinion) expose SMB through their home firewall. That would substantially increase their attack surface, despite whatever functional benefits they may derive from this.
So, when deployed in a safe way, I'd agree wholeheartedly. But as we know the home environment often includes practices that aren't all that secure. ;) So having that SMBv1 hole plugged would be a really great idea.. in the event that someone may not be totally up on updates.
I think I read somewhere that Netgear was posting updates on significantly older firmware for the Samba issues, which I thought was awesome!
I think we both basically agree. We'll see if Netgear goes beyond just patching the CVE - hopefully they will.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
