× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

JayLim77
Aspirant

Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

I have a ReadyNAS 4220S running 6.9.3 that is being used for SMB shares.

 

The problem we just found out is that Microsoft is patching RPC authentication to stop RPC Signing and only allow RPC Sealing, CVE-2022-38023. Multiple of our other NAS vendors have been jumping on this as this a huge change.

Also, Samba released this statement, https://www.samba.org/samba/security/CVE-2022-38023.html, and these versions, Samba 4.15.13, 4.16.8 and 4.17.4, and later are patched to fix this issue.

 

I cannot find any updates or release notes that mention being ready for this issue or not. Is this issue not affecting ReadyNAS or is it still being worked to resolve this issue?

 

Any help would be greatly appreciated.

Message 1 of 10
JayLim77
Aspirant

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

The patch from Microsoft will be applied next month and was hoping someone might know if ReadyNAS 4220S is or will be patched and is or is not vulnerable to having issues with the change by Microsoft.

Message 2 of 10
AnkitGH
NETGEAR Moderator

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

Hello @JayLim77 

 

And welcome to the NETGEAR Community! 🙂

 

Yes, Microsoft have released its initial security deployment it is in initial deployment phase and it is released in Nov 8 2022.

And as you mentioned the patch will be enforced soon.

 

And ReadyNAS updated firmware version is 6.10.8 and it will not probably update the version in near future. 

Please keep the device in the updated firmware to avoid the vulnerabilities.

 

Probably it is will not affect the NAS in which the change by the Microsoft.

 

If your issue is resolved please close the thread by clicking "Accept as solution".


Have a lovely day,
AnkitGH
Netgear Team

Message 3 of 10
Sandshark
Sensei

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S


@AnkitGH wrote:

Hello @JayLim77 

 

Probably it is will not affect the NAS in which the change by the Microsoft.

 

Your best answer is probably it won't affect the NAS?  That just won't do.  From what I have read, it very much will affect anyone using AD integration to access the NAS, which I assume the original poster is doing. 

Message 4 of 10
JayLim77
Aspirant

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

Thanks @Sandshark that is exactly what I am doing.

 

The ReadyNAS is connected to AD and using security groups for its SMB Shares.

 

We have worked with Synology, NetApp, Hitachi HNAS, 45Drives with TrueNAS, and Samba based Unix-like systems. All of them are jumping in to get a fix out, or already have, before the change is applied in July by Microsoft.

 

This is a major issue as all access will be lost by AD based users. From the response it looks like Netgear does not have fix for ReadyNAS and that will mean any and all of these systems connected to AD will stop working.

Message 5 of 10
Sandshark
Sensei

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

Every indication is that Netgear is silently exiting the NAS business and just leaving it's customers hanging.  I think you should go on the assumption that Netgear will do nothing.  If that's not the case, you'll be pleasantly surprised.  Better that than caught with your pants down when the patch is implemented.

 

The NAS will not cease to work, but you'll have to change from AD to local access control.  Depending on how many users that is, it could be a daunting task.  Can you re-purpose your Netgear products as backup only, so not as many need access?  Unfortunately, I have no idea how to migrate from AD integration.

 

Another option is installing a generic Linux system since it's basically just an Intel-based motherboard.  The best way to do that is to temporarily remove the 10GBE card and install a video card.  Once you've installed and set things up for headless operation, you can swap back in the Ethernet card.  I have read that a DisplyLink USB video adapter has Linux support.  So if you need to maintain a display, you could see about using one of them.

Message 6 of 10
JayLim77
Aspirant

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

I just wanted to add I updated the ReadyNAS OS to 6.10.8 and logged in by SSH. I then ran smbstatus | grep version, which output:

 

#smbstatus | grep version
#Samba version 4.8.0

 

I checked the 4.8.0 version of Samba and the release notes from samba.org. This version is from March 13, 2018 as per https://www.samba.org/samba/history/samba-4.8.0.html

 

This is pretty bad that the version of Samba on the ReadyNAS, which is one version behind the currently available to download on this site and is the currently advertised version by auto update, is so far out of date and is over 5 years old.

 

This is just an FYI for all to know.

Message 7 of 10
StephenB
Guru

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S


@JayLim77 wrote:

I just wanted to add I updated the ReadyNAS OS to 6.10.8 and logged in by SSH. I then ran smbstatus | grep version, which output Samba Version 4.8.0

 


The SAMBA libraries used in the ReadyNAS come from the Netgear Repositories, not the Debian ones.  I believe they've made some modifications, and therefore had to backport fixes.  This suggests that you shouldn't attempt to update SAMBA via ssh.

 

Message 8 of 10
JayLim77
Aspirant

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S

I'm not sure why my earlier message was removed.

 

I merely stated I wasn't updating Samba by SSH and 4.8.0 was really old, even with backporting. Especially relating to the Samba versions 4.15.13, 4.16.8 and 4.17.4 and later resolve the issue discussed in this thread.

 

The CVE is CVE-2022-38023 and linked here, https://www.samba.org/samba/security/CVE-2022-38023.html.

Message 9 of 10
StephenB
Guru

Re: Windows Patch for RPC Sealing and Samba for ReadyNAS 4220S


@JayLim77 wrote:

I'm not sure why my earlier message was removed.

 


It was caught by the automatic spam filter (no idea why).

 

If this happens again, you can send me a PM.

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 2419 views
  • 0 kudos
  • 4 in conversation
Announcements