Reply

ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

Woodfield
Aspirant

ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

If you despair about Netgear support and security you are not alone: -

1. With Windows 10 Fall update 2019 SMB 1.0 is automatically removed from your PC as unsafe.

2. If you read the Microsoft thread about this, they have been warning for a long time that it is a security issue: -

support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-wind... 

3. Has Netgear done anything to either warn users or update its firmware? Absolutely not. You just find out that after the Windows Update Raidar no longer allows you to browse your drive through Windows File Explorer. Wonderful.

4. The fix is to go to Windows services, ignore the security warnings and enable SMB 1.0. So Netgear forces you to risk being the victim of ransomeware etc. 

5. Worse perhaps, although you can see your shares in a browser, you will be warned that the certificate used by Netgear is unsafe. Carry on at your own risk. In other words, the firm cannot even be bothered to update its certificate, never mind deal with an appropriate software update - despite the warning from Micorosoft. 

6. It took me ages to find the above, albeit unsatisfactory, solution and that was only thanks to the pop ups from Microsoft guiding me to the problem. 

Model: RND2000v1 (ReadyNAS Duo v1)|READYNAS DUO v1 (DISKLESS)|EOL
Message 1 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

The Duo v1 was discontinued in 2011; the Duo v2 was discontinued in 2013.  Netgear ended firmware updates for both models in 2017 (similar to Microsoft ending support for Windows 7).  

 

Both models have much less memory than currently shipping ReadyNAS, and both have slow CPUs by modern standards.  Neither has hardware support for AES encryption and authentication, so performance with SMB 3 would be very slow (and likely isn't possible at all on the v1 - it's hardware design is very old).

 

Newer ReadyNAS (including the entry level RN212) support SMB 3.  They also get regular security updates (including hot fixes pushed by Netgear).

 

FWIW, SMB 3 isn't enough to protect you from ransomware.  Generally ransomware comes in through your PC, and it can spread to the NAS if the PC can access it.  SMB 3 helps in enterprise networks (because it can limit the spread of the ransomware if you have a lot of PCs).  But (IMO) it doesn't help much on home networks.

 

The best approaches are to use secure cloud backup (which generally does include some ransomware protection), or to have local backups of your data that can't be accessed by your PCs.  Running real-time malware protection on the PCs can also help - though new malware might still get through.

 


@Woodfield wrote:

 

5. Worse perhaps, although you can see your shares in a browser, you will be warned that the certificate used by Netgear is unsafe. Carry on at your own risk. In other words, the firm cannot even be bothered to update its certificate, never mind deal with an appropriate software update - despite the warning from Micorosoft. 

You misunderstand certificates.  Netgear can't provide a CA certificate for your NAS - because that certificate declares that Netgear owns it and that it is under their administrative control. Which of course isn't the case.  Only you can get and install a CA certificate for your NAS.  The process isn't easy (and that doesn't have anything to do with Netgear).

 

What Netgear can do is generate a self-signed certificate.  That does allow the use of encrypted https, but it is vulnerable to man-in-the middle attacks (for instance, an evil server that intercepts transactions going to your bank website).  Generally that's not a real threat on a home network - but it is a big problem with internet-hosted servers (and that is why the browsers give you those warnings).

 

BTW, I do still have a Duo v1 (and an NV+ v1) in service.  Both are used as secondary backups for my primary NAS (an RN526).  SMB is disabled on them altogether, they back up selected shares on the main NAS using rsync.

Message 2 of 21
schumaku
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@Woodfield wrote:

1. With Windows 10 Fall update 2019 SMB 1.0 is automatically removed from your PC as unsafe. 


Afraid, you seem to be very new to Windows 10 and all it's development and enhancement over the year. This started to happen years ago already, not much change on the Win 10 Fall Update (which is still a work in progress and not released for production). FMI start your reading here: https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows

 


@Woodfield wrote:

2. If you read the Microsoft thread about this, they have been warning for a long time that it is a security issue:  


Where was a lot written about a security vulnerabiity which affected both Windows and OS using SAMBA. In fact, the fixes were available in the field even before this made it to the public and a lot of copycats pushing started to make a lot of noise which appears to scare people until November 2019 (and it will continue much longer).  

 


@Woodfield wrote:

3. Has Netgear done anything to either warn users or update its firmware? Absolutely not. You just find out that after the Windows Update Raidar no longer allows you to browse your drive through Windows File Explorer. Wonderful.


Netgear released a firmware update back in 2017 also for your NAS addressing the CVE-2017-7494 vulnerability.^which allowed to access and write to any shared folders even if the users wasn't authorized.


@Woodfield wrote:

4. The fix is to go to Windows services, ignore the security warnings and enable SMB 1.0. So Netgear forces you to risk being the victim of ransomeware etc.  


The "big" vulnerability was fixed on both Windows and SAMBA source code - and deployed https://kb.netgear.com/000038792/RAIDiator-Version-4-1-16-Sparc Still, and shared folder legally accessible on a NAS, a Windows PC or Server, on a business class storage systems, ... can be encrypted by malware. Dropping SMB 1.0 does not change a s**t. 


@Woodfield wrote:

5. Worse perhaps, although you can see your shares in a browser, you will be warned that the certificate used by Netgear is unsafe. Carry on at your own risk. In other words, the firm cannot even be bothered to update its certificate, never mind deal with an appropriate software update - despite the warning from Micorosoft.  


Well explained by @StephenB above already.


@Woodfield wrote:

6. It took me ages to find the above, albeit unsatisfactory, solution and that was only thanks to the pop ups from Microsoft guiding me to the problem. 


I won't talk of the fact that SMB1 isn’t modern or efficient - many features have made it to the higher protocol versions. Some would (massively) help on these underpowered NAS system like yours - however, it has never happened. Other features are simply out of scope, like protocol signing or encryption

Enabling the CIFS/SMB 1.0 feature can be done in a very easy way on the Windows 10 systems: Just add/enable the CIFS/SMB 1.0 Client feature.

There are many legit reasons why users can and must continue using the SMB 1.0 [Items 1..3 stolen from a Microsoft blog, and extended:

    1. You’re still running XP or WS2003 under a custom support agreement.
    2. You have old management software that demands admins browse via the so-called ‘network' aka 'network neighbourhood’ master browser list.
    3. You run old multi-function printers with old firmware in order to “scan to share”.
    4. You operate legacy storage systems, legacy NAS models, ... only supporting SMB 1.0/CIFS.

 

Message 3 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@schumaku wrote: 

The "big" vulnerability was fixed on both Windows and SAMBA source code - and deployed https://kb.netgear.com/000038792/RAIDiator-Version-4-1-16-Sparc


@Woodfield - I'm not sure if you have a v1 or a v2 (your title says one thing, your model number field says something else).

 

@schumaku's link (4.1.16) is for the fix on the v1.  It was also fixed on the v2 at the same time (5.3.13) - that link is here: https://kb.netgear.com/000038794/RAIDiator-arm-Version-5-3-13-for-ReadyNAS-Duo-v2-NV-v2

 

If you aren't running the final firmware for your NAS, then you should update it.

Message 4 of 21
Woodfield
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

Thank you @StephenB and @schumaku for your replies. Much appreciated. 

 

However, when you write "This started to happen years ago already, not much change on the Win 10 Fall Update" I am afraid that does not accord with my experience.

 

Prior to the update Radiator worked and I could browse the V1 (my version error but prompted by the infexibility in the way Netgear gives options). After the update Radiator would not locate and allow me to browse. Adding back the support for the protocol solved the issue but took me ages to find. 

 

My real grouse is with a vendor attitude that says what you have got is old; and therefore we could not care less. Go and buy a new one. That is both wasteful and arrogant. My drive works fine and, yes, I also back up everything to OneDrive. 

Message 5 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@Woodfield wrote:

 

However, when you write "This started to happen years ago already, not much change on the Win 10 Fall Update" I am afraid that does not accord with my experience.

Microsoft announced they were deprecating SMB1 in 2014.  They got much more serious about it in May 2017, when WannaCry exploited some vulnerabilities.  FWIW, Netgear did fix those security issues in 5.3.13.

 

In the fall 2017 release of Windows 10 (1709), Microsoft stopped installing SMB1 by default in new installs of Windows 10.  They also put in automatic removal of SMB1 if it wasn't used for 15 days.  https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows At that point, we began seeing the SMB1 connectivity issues in this forum that you just ran into.

 

 

The Duo v2 was discontinued by Netgear in 2013 - before Microsoft announced the deprecation plans, and well before they implemented it in Windows 10.   

 

I agree it would have been nice to have SMB 3 support in the older NAS.  But SMB 3 would have reduced the performance of the older NAS, and it would have been quite a bit of work to add it.  FWIW, I think that Netgear was struggling to fully support the three quite different platforms (4.1.x sparc, 4.2.x intel, 5.3.x arm) they had in the field before they launched OS-6, and (in my opinion) one reason they consolidated down to one going-forward platform (OS 6) was to solve that problem.

 

In any event, all vendors (including Microsoft) do drop older platforms regularly.  Though it is annoying if you have an older product that is still working well for you.

Message 6 of 21
schumaku
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@StephenB wrote:

But SMB 3 would have reduced the performance of the older NAS,


Disagree. SMB 3 does not imply there must be protocol signing or encryption. SMB 3 runs with much less overhead, supporting Jumbo Frames, boosting performance. Further on, already SMB 2.1 is performing much better over VPN connections with limited MTU than SMB 1.0 for various reasons. The ReadyNAS competitors made it happen around the same time - Netgear on the other hand wanted to get rid of the pre-OS6 systems ASAP. 

Message 7 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@schumaku wrote:

@StephenB wrote:

But SMB 3 would have reduced the performance of the older NAS,


Disagree. SMB 3 does not imply there must be protocol signing or encryption. 


I agree that w/o signing/encryption that performance would have been ok.  Leaving those features out might have been acceptable to some home NAS owners, but I think it wouldn't have been enough for many enterprises.  Perhaps not a big deal with the Duo v2, but it would have been for the 4.2.x users.

 

But Netgear didn't go there on any of the legacy NAS, so this is academic.

Message 8 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

For what is worth it, can it be possible to write an app or third party add-on which can be downloaded into the nas system as a lot of these systems are still around and working perfectly behind an hardware firewall?

Message 9 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

For what is worth it, can it be possible to write an app or third party add-on which can be downloaded into the nas system as a lot of these systems are still around and working perfectly behind an hardware firewall?


If it were easy to update Samba to support SMB 3 on these NAS, then I think Netgear would have done it in their final firmware releases.

 

It likely would be possible for someone to write an app that enables the experimental SMB 2 support in these NAS.  

 

Not sure there are that many v2 ReadyNAS out there, as it was only sold for 2 years.  There are a lot more posts here from v1 ReadyNAS owners.

Message 10 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

Thanks for replying this fast. Hope someone will still pick it up after all these years 🙂

 

Allthough new nas products perform perhaps better, old is not always bad. We have several layers of backing up our system, and this is a usefull fast in-house system working for us.

Message 11 of 21
schumaku
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

For what is worth it, can it be possible to write an app or third party add-on which can be downloaded into the nas system ...


For both an experimental SAMBA SMBv2 enabling or a newer SAMBA version there would be Kernel updates required. Well possible, these legacy systems are built on monolithic Kernels where everything, incuding the SAMBA Kernel objects, are linked in hard, and these can't be unloaded/replaced.

Either way, these NAS can still be operated in current Windows 10 environments - there is no reason to change anything on the NAS...

Message 12 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

 

Allthough new nas products perform perhaps better, old is not always bad. We have several layers of backing up our system, and this is a usefull fast in-house system working for us.


FWIW, I have some older v1 NAS in service, as well as a Pro-6 (which at the moment is still runing 4.2.31 firmware).  Though I use both for backups, my main NAS are now OS 6 models.  SMB access is deliberately turned off on the older models (only rsync is enabled).

Message 13 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

The problem I encounter right now is that the new backupsoftware is stated on W10 pro, but enabling smb1 is not possible on this machine due to restrictions.

The old backupsoftware still operates on w7 without problems, but this machine will be updated also in several time. We can certaintly buy new nas machines, but they still operate without any problems after all these years and still do during next years probably

Message 14 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

The problem I encounter right now is that the new backupsoftware is stated on W10 pro, but enabling smb1 is not possible on this machine due to restrictions.

Well, you either need to

  1. enable SMB1 anyway on the W10 systems (which of course can be done).
  2. try enabling SMB2 on the duo (which might be doable with the linux CLI, but might need to be re-applied after every reboot of the NAS)
  3. enable NFS and use that with W10 Pro

I don't own a v2 NAS, so I can't give any real help on (2).  Personally, I don't think (3) is any more secure than (1).

Message 15 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

Unfortunately I have no experience with Linux command line instructions for that. I assume it will be possible to use putty for connection, but than which arguments needs to be written is unknown for me 🙂

Message 16 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

Unfortunately I have no experience with Linux command line instructions for that. I assume it will be possible to use putty for connection, but than which arguments needs to be written is unknown for me 🙂


You mean option 2 (enable smb2)?

Message 17 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

sorry to be not complete. Indeed I mean option two

Message 18 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

sorry to be not complete. Indeed I mean option two


Well, the gist is that you'd need to change the [global] section of the smb.conf :

min protocol = SMB2

max protocol = SMB2

 

That would only allow SMB2.  If you wanted to allow SMB1, you'd set the first line to SMB1.

 

On most ReadyNAS that file is in /etc/samba/smb.conf.  But one problem is that this file is often autogenerated, so those lines could disappear when you change the configuration, or even reboot the NAS.

 

I don't recall anyone who did this successfully with a v2 NAS.

 

 

Message 19 of 21
PhillipNagel
Aspirant

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares

Good morning, until now no luck due to the fact ssh addon app is not reckognized in the netgear portal. Putty entrance is denied. I am looking now for port number to get connection. Anyone familiair with this? This is not being found in the user manual, or I am overlooking it.

Message 20 of 21
StephenB
Guru

Re: ReadyNAS Duo v2 Windows 10 2019 Fall Update SEcurity and Shares


@PhillipNagel wrote:

Good morning, until now no luck due to the fact ssh addon app is not reckognized in the netgear portal. 


What do you mean?  Are you saying that you can't find the download link for the add-ons???

 

If so, you will find them here: https://kb.netgear.com/24545/ReadyNAS-Apps-Add-ons

 


@PhillipNagel wrote:

 Putty entrance is denied. I am looking now for port number to get connection. Anyone familiair with this? This is not being found in the user manual, or I am overlooking it.


With putty, you just use the radio button for ssh (which should use port 22).  You'd log in as root, using the NAS admin password.

 

FWIW, with windows 10 you don't actually need to use putty.  It also has built-in ssh support.  You can enter ssh root@nas-ip-address into the windows search bar (or enter it from the command prompt if you prefer).

 

Message 21 of 21
Top Contributors
Discussion stats
  • 20 replies
  • 2704 views
  • 3 kudos
  • 4 in conversation
Announcements