NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SMB 1.0 (Given Wanna Cry)
Out of curiosity in the latest 6.7.1 firmware is SMB 1.0 disabled?
Can we control SMB so that it ONLY used 3.0 or 2.0-3.0 for example?
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.
I think SMB2 support is turned off by default on all those models.
OS6 currently uses samba 4.4.x, a much newer samba series.
I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.
I've tried disabling SMB1 on a W10 laptop and doing that causes ReadyNAS servers to dissappear from the Network Computers window. Turning it on makes everything show up nicely.
As much as I'd love to turn off SMB1, it doesn't look like you can simply do that w/o consequences.
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.
I think SMB2 support is turned off by default on all those models.
OS6 currently uses samba 4.4.x, a much newer samba series.
I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.
> The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
> To my knowledge we don't have any plans to update samba on these old OSes.
Give the recent CVE ( CVE-2017-7494 ) that appears wormable, it seems to me that Netgear SHOULD be patching any version of SMB 3.5 or higher, and it would be great if you did patch SMB2 or better support into these older devices (of which I have 6.)
https://isc.sans.edu/forums/diary/Critical+Vulnerability+in+Samba+from+350+onwards/22452/
We have a KB article: Security Advisory for CVE-2017-7494, Samba Remote Code Execution
As I explained in Any plans for Samba fix for CVE-2017-7494 ? we've backported the fix for that CVE to the samba versions we're using. I don't believe there are any current plans to backport newer samba series to our legacy OSes.
We've already released ReadyNAS OS 6.7.4 for our OS6 devices. The releases for the other devices are with QA.
mdgm wrote:
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
Don't be pedantic. No one suggested that ReadyNAS devices ran Windows. The issue is that the recommended fix for the WannaCry was to disable SMB 1.0 and this makes legacy ReadyNAS devices that don't support SBM 2 or greater unreachable by Windows hosts on which this advice has been followed.
PHolder - can we please keep this issue to one thread?
PHolder wrote:
The issue is that the recommended fix for the WannaCry was to disable SMB 1.0 and this makes legacy ReadyNAS devices that don't support SBM 2 or greater unreachable by Windows hosts on which this advice has been followed.
My reply to that is on your other thread; https://community.netgear.com/t5/Using-your-ReadyNAS/Any-plans-for-Samba-fix-for-CVE-2017-7494/m-p/1297911/highlight/true#M131661
The specific fix for wannacry is to install the security patches (windows and elsewhere). That doesn't mean you shouldn't disable SMB1 if you can, since it is still vulnerable to man-in-the-middle attacks. However in my view, MITM attacks are very unlikely on home networks - though they do occur on compromised enterprise networks and over-the-internet. If you keep port 445 closed in your home router, you shouldn't see any MITM threats with SMB.
FWIW, Microsoft hasn't added SMB2 or better support to Windows XP either. And they won't.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
