Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S
I have a ReadyNAS 4220S running 6.9.3 that is being used for SMB shares.
The problem we just found out is that Microsoft is patching RPC authentication to stop RPC Signing and only allow RPC Sealing, CVE-2022-38023. Multiple of our other NAS vendors have been jumping on this as this a huge change.
I cannot find any updates or release notes that mention being ready for this issue or not. Is this issue not affecting ReadyNAS or is it still being worked to resolve this issue?
Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S
The patch from Microsoft will be applied next month and was hoping someone might know if ReadyNAS 4220S is or will be patched and is or is not vulnerable to having issues with the change by Microsoft.
Probably it is will not affect the NAS in which the change by the Microsoft.
Your best answer is probably it won't affect the NAS? That just won't do. From what I have read, it very much will affect anyone using AD integration to access the NAS, which I assume the original poster is doing.
Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S
Thanks @Sandshark that is exactly what I am doing.
The ReadyNAS is connected to AD and using security groups for its SMB Shares.
We have worked with Synology, NetApp, Hitachi HNAS, 45Drives with TrueNAS, and Samba based Unix-like systems. All of them are jumping in to get a fix out, or already have, before the change is applied in July by Microsoft.
This is a major issue as all access will be lost by AD based users. From the response it looks like Netgear does not have fix for ReadyNAS and that will mean any and all of these systems connected to AD will stop working.
Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S
Every indication is that Netgear is silently exiting the NAS business and just leaving it's customers hanging. I think you should go on the assumption that Netgear will do nothing. If that's not the case, you'll be pleasantly surprised. Better that than caught with your pants down when the patch is implemented.
The NAS will not cease to work, but you'll have to change from AD to local access control. Depending on how many users that is, it could be a daunting task. Can you re-purpose your Netgear products as backup only, so not as many need access? Unfortunately, I have no idea how to migrate from AD integration.
Another option is installing a generic Linux system since it's basically just an Intel-based motherboard. The best way to do that is to temporarily remove the 10GBE card and install a video card. Once you've installed and set things up for headless operation, you can swap back in the Ethernet card. I have read that a DisplyLink USB video adapter has Linux support. So if you need to maintain a display, you could see about using one of them.
This is pretty bad that the version of Samba on the ReadyNAS, which is one version behind the currently available to download on this site and is the currently advertised version by auto update, is so far out of date and is over 5 years old.
I just wanted to add I updated the ReadyNAS OS to 6.10.8 and logged in by SSH. I then ran smbstatus | grep version, which output Samba Version 4.8.0
The SAMBA libraries used in the ReadyNAS come from the Netgear Repositories, not the Debian ones. I believe they've made some modifications, and therefore had to backport fixes. This suggests that you shouldn't attempt to update SAMBA via ssh.
Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S
I'm not sure why my earlier message was removed.
I merely stated I wasn't updating Samba by SSH and 4.8.0 was really old, even with backporting. Especially relating to the Samba versions 4.15.13, 4.16.8 and 4.17.4 and later resolve the issue discussed in this thread.
