NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SMB 1.0 (Given Wanna Cry)
Out of curiosity in the latest 6.7.1 firmware is SMB 1.0 disabled?
Can we control SMB so that it ONLY used 3.0 or 2.0-3.0 for example?
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.
I think SMB2 support is turned off by default on all those models.
OS6 currently uses samba 4.4.x, a much newer samba series.
I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.
21 Replies
Replies have been turned off for this discussion
I'm not sure what disabling SMB1 on a ReadyNAS would accomplish as far as preventing the spread or activation of this malware. I've seen no indication that Samba is vulnerable, and it would break compatibility.
Therein lies the problem...
There was no need for Microsoft to have installed SMB 1.0 for modern versions of Windows. And have it enabled.
Especially for new installs. And for non-corporate users.
Yet they did so for "backward compatibility"
A better story, to have reduced the surface area of attack, was to get people that need it to install it explicitly.
I was surprised that SMB 1.0 was still part of Windows 10 which was freshly installed a couple of months ago.
So my question was related to whether SMB 1.0 is supported on my RN316 and whether I can turn it off.
All my clients use SMB 3.0, so there is no need for SMB 1.0. It's such an ancient version of the protocol.
WannaCry is an agrument against "maintaining backward compatibility forever", or having old protocols enabled by default.
I would rather only support SMB 3.0. And then be forced to upgrade clients to a later version of SMB 1.0, if I desire.
Thus the question. I could not find any configuration for the SMB version anywhere.
As opposed to stepping down protocol versions....
Same example can be made with browsers that try TLS 1.2 then TLS 1.1 then TLS 1.0 then SSL 3.0 then SSL 2.0 then SSL 1.0.
Time to move on...
You can configure samba to only allow SMB3 connections. I don't THINK there is a way to do this in the GUI at this point. Adding the following to /etc/frontview/samba/smb.conf.overrides would seem to achieve what you're after:
min protocol = SMB3
There is also an app called SMB Plus that lets you do other things to tighten down SMB security if you are so inclined.
Can anyone comment on Readynas 4.2 and SMBv2/v3 support?
EDIT: I guess more accurately I should have said RAIDiator-x86 Version 4.2.30
I have a Readynas NVX and an NV+ that are used as file servers and switching off SMBv1 on Windows 10 has made them inaccessible.
From my understanding you should be fine with Windows 10. Obviously the recommendation is to patch it to latest.
From Microsoft (https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/)
"The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack."
What I actually did was turn off my NAS. Did not want to risk some other vector hitting them.
So will turn it back on until this "all blows over".
Anyway, hope the above URL helps.
Thanks, all our Windows systems are patched, but the general recommendation shown here and elsewhere is to turn off SMBv1 in addition to patching. Turning off the NAS seems extreme and pointless in this instance since the NAS runs a variant of Linux and the current Wannacry/wanncrypt can ONLY be spread by and to Windows Systems.
There is no question that SMBv1 systems will likely to subject to some other attack, so turning it off on Windows systems is the best route to go. I'm not a RAIDiator expert and am not seeing an option to move it to v2/v3. Thanks for your reply though.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
