RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
I have 2 2012R2 servers and WIN 7 or WIN 10 PCs only in this network. I want to disable SMBv1 for security purposes. Is there an alternative protocol I can use so my PCs and Servers can access this NAS? I remove SMBv1 from my servers and I cannot access the device. I re-installed it on 1 and I can access the NAS from that server.
Is there an update or firware to allow for SMBv2/3 for a Windows network?
Re: RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
I would not expect an SMB update to OS 4.x or 5.x systems. You can alternatly use NFS (if you are using Windows 10 Pro), FTP, or WebDAV. I have seen articles that say NFS doesn't work right with credentials on Win10 and you have to allow anonymous access, but that may have been fixed since they were written.
No, he said they are not updating SMB versions "at this time" and would later for OS6. He left hanging whether they would update OS4.x or 5.x. Given that those are based on obsolete versions of Debian, I wouldn't hold my breath to see if they do.
However, the patch being installed may provide an alternate solution to turning off SMB.
No, he said they are not updating SMB versions "at this time" and would later for OS6. He left hanging whether they would update OS4.x or 5.x. Given that those are based on obsolete versions of Debian, I wouldn't hold my breath to see if they do.
Maybe we are using "update" in two different senses. I wasn't meaining to say that SMB would be upgraded to a newer version on the legacy NAS, just that the fix for the CVE would be backported to them.
That's based on this statement by mdgm: "We've built firmware with the patch for CVE-2017-7494 for legacy models as well. Once they have undergone QA testing, I believe we plan to release those updates as well:"
Re: RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
Hi and Thank you.
I am a little confused: Is there a "Patch" for the exploit in SMBv1? Where would I find one for my RNS2000v1? If not do you have any ETA on one?
If I am understanding correctly, NetGear will not bother to retro a firmware or software upgrade for their older products, even though there are a lot of these, unpatched and dangerous OSes still being used. This borders on criminal. If a car has a defect, regardless of the age of the vehicle, the manufacturer would HAVE to either recall or commit to repair any cars that were still on the road with the defect. They couldn't just ignore the problem. This is an apt analogy as these devices are dangerous to business as they can not only be exploited, but because to use them you have to keep a network protocol that is dangerous on your network for all PCs required to use the device. Are they really suggesting that THIS type of issue, a built-in exploit, is not their responsibility to fix? I appreciate driving the market, but if NetGear values its reputation (same for all the other manufacturers) then they need to do something and soon, I, and all MY customers (I'm in IT) will never purchase another NetGear product again. I will admit if it were an issue of additional functions or capabilities, suggesting to upgrade or replace the hardware to take advantage of new and improved functionality would be OK and understandable, but NOT if the issue is security or core functionality in the design of the product!
Re: RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
The patch is still being tested, as noted in the other messages. Being a backport to an old, unsuported version of Linux, I would expect it to need a bit more testing than typical. They are fixing a known secutity issue, just not in the way you wanted. They are not being forced to do so.
Your analogy of a NAS to a car is ridiculous. A safety fault in a car can kill sombody, and mandatory recalls are only made for safety issues. Your NAS won't kill anybody unless you bash them over the head with it or throw in in the bathtub plugged in. It's also untrue. The US government does not require a no-cost recall on vehicles older than 10 years.
Re: RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
I do not want to get into an argument with you as I appreciate your insight and assistance in resolving these issues. But in my defense, I do want to point out that I feel very strongly that my analogy is sound,
"A safety fault in a car can kill sombody, and mandatory recalls are only made for safety issues. Your NAS won't kill anybody unless you bash them over the head with it or throw in in the bathtub plugged in."
I never said anything about killing people - we know of many recalls, in many industries, that were problematic but not lethal. We also know of manufactures allowing the products in question to be returned or repaired (i.e. problems with closures on vacuum cleaner canisters, or door fittings on washing machines). There is however,a very viable safety concernin this particular instance, as one might harden the PCs, Servers and network but still have a hole in their defenses, coming from a product whose primary use is for redundancy (backup) or data storage - both having expectations that they protect against, not enable, security issues and data loss. In addition, I think we need to acknowledge that a very large number of owners of these devicesDO NOT EVEN KNOW THAT A VULNERABILITY EXISTS OR HAVE THE WHEREWITHALL TO FIX IT, UNLESS SPECIFICALLY INSTRUCTED TO DO SO. I believe this would be analogous to the "recall" letters sent out to all registered owners of the product in question. In today's world, email and informative banners on a website would both provide a far reaching, relatively free, way of providing this urgent information and altering the users that an issue and solution that exists.
Regardless of the age of the product, if it is still being used widely in the real world, there should be a responsibility on the manufacturers part, to repair problems found with their product - even after the fact. (even Microsoft JUST fixed this exploit in XP - after it was discontinued for 2 years now, and for which it was stated there would be NO fixes or patches, regardless of the problems)
"The US government does not require a no-cost recall on vehicles older than 10 years."
I alsoneversaid I wouldnotbe willing to pay a reasonable fee for a repair that would save me a considerable amount of money vs. replacing. I simply stated that, as in any other manufactured product, the manufacturer has a responsibility (even if it is not directly due to a law) in providing a safe and secure product for public consumption. Even if the problems were revealed after-the-fact, such as the SMBv1 exploit. I am just not satisfied with the "repair" solution being buy another device that doesn't have this issue. If that were truly the official response of NetGear, they would never sell another product!
"Theyarefixing a known security issue, just not in the way you wanted."
The way I wanted it to be fixed? I do not careHOWthey FIX it, but replacing a working device with a new device is NOT a fix, it is a replacement. I have not blamed them for this exploit, I just want a repair so I can continue to use my otherwise working, (although, now know to be insecure) backup device as I have for quite a while.
"They are not being forced to do so."
It is a reflection on the company’s commitment to their product line that they should take every step possible and reasonable to assure their products are safe, secure and do what they are expected to do.
Again, I do wish to thank you for the support and insight on the NAS/SMB issue, but I do not think your bashing of my analogy was called for, or accurate. If you would like to move this post to a more "social" forum where others could chime in with their opinions and continue this conversation, I am very open to a public discourse on my views and, if I am wrong in my assumptions, to hearing other perspectives so I can reach that same conclusion. As of now, I am standing strong on my previous statement.
Re: RND2000v1 (ReadyNAS Duo v1) alternate protocol (trying to get rid of SMBv1)
You asked if there was an alternative to SMBv1 because you disabled it on your PC's. You specifically seemed to desire SMBv2 or v3.
As you have been told, Netgear is working on implementing the now-available SAMBA SMBv1 patch specifally to combat CVE-2017-7494, which I suspect to be the threat that caused you to disable SMBv1. But that's not going to help you if SMBv1 remains disabled on your other systems. I also offered you some alternative protocols, though none is as simple as SMB.
So, Netgear is incorporating a patch for the specific threat. They are not doing so by implementing SMBv2 or v3 on legacy systems, which seems to be what you desire. I have not really looked into how XP is being patched to fix this, but I expect it is very similar. They also apparently aren't doing it fast enough for you. It's been all of 5 days. I think you will find that the other NAS vendors' positions are quite similar at this point. None of them have the resources of Microsoft.
