NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SMB 1.0 (Given Wanna Cry)
Out of curiosity in the latest 6.7.1 firmware is SMB 1.0 disabled?
Can we control SMB so that it ONLY used 3.0 or 2.0-3.0 for example?
The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.
The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x
Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.
I think SMB2 support is turned off by default on all those models.
OS6 currently uses samba 4.4.x, a much newer samba series.
I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.
I'm not sure what disabling SMB1 on a ReadyNAS would accomplish as far as preventing the spread or activation of this malware. I've seen no indication that Samba is vulnerable, and it would break compatibility.
Therein lies the problem...
There was no need for Microsoft to have installed SMB 1.0 for modern versions of Windows. And have it enabled.
Especially for new installs. And for non-corporate users.
Yet they did so for "backward compatibility"
A better story, to have reduced the surface area of attack, was to get people that need it to install it explicitly.
I was surprised that SMB 1.0 was still part of Windows 10 which was freshly installed a couple of months ago.
So my question was related to whether SMB 1.0 is supported on my RN316 and whether I can turn it off.
All my clients use SMB 3.0, so there is no need for SMB 1.0. It's such an ancient version of the protocol.
WannaCry is an agrument against "maintaining backward compatibility forever", or having old protocols enabled by default.
I would rather only support SMB 3.0. And then be forced to upgrade clients to a later version of SMB 1.0, if I desire.
Thus the question. I could not find any configuration for the SMB version anywhere.
As opposed to stepping down protocol versions....
Same example can be made with browsers that try TLS 1.2 then TLS 1.1 then TLS 1.0 then SSL 3.0 then SSL 2.0 then SSL 1.0.
Time to move on...
You can configure samba to only allow SMB3 connections. I don't THINK there is a way to do this in the GUI at this point. Adding the following to /etc/frontview/samba/smb.conf.overrides would seem to achieve what you're after:
min protocol = SMB3
There is also an app called SMB Plus that lets you do other things to tighten down SMB security if you are so inclined.
Actually, for current versions of Samba the syntax looks like it should be:
server min protocol = SMB3
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
