Reply

Re: Any plans for Samba fix for CVE-2017-7494 ?

PHolder
Aspirant

Any plans for Samba fix for CVE-2017-7494 ?

I posted elsewhere about this, but CVE-2017-7494 NEEDs to be patched on any device still in operation, and I think that includes the older, technically out of support models that I have 6 of.

 

With Microsoft recommending disabling SMB 1.0 because of Wannacry and related security issues, it seems like an ideal time for Netgear to show some leadership and update SMB on all it's devices to address this security issue and to allow people to use older devcies with SMB 2 or 3 support.

Model: ReadyNAS RND4000|ReadyNAS NV+ Chassis only,ReadyNAS RNDP600U|ReadyNAS Ultra 6 Plus Chassis only,RN10400|ReadyNAS 100 Series 4-Bay (Diskless)
Message 1 of 20

Accepted Solutions
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?

Message 9 of 20

All Replies
Danthem
NETGEAR Employee

Re: Any plans for Samba fix for CVE-2017-7494 ?

Hi PHolder,

 

A firmware upgrade with this patched is already released, 6.7.3:

https://kb.netgear.com/000038777/ReadyNAS-OS-6-Software-Version-6-7-3

Message 2 of 20
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?

We've built firmware with the patch for CVE-2017-7494 for legacy models as well. Once they have undergone QA testing, I believe we plan to release those updates as well:

 

RAIDiator-4.1.16

RAIDiator-arm-5.3.13

RAIDiator-x86-4.2.31

 

As for SMB2 and SMB3, we're not updating to a newer samba series on the legacy models at this time so SMB2 support would remain experimental and remain disabled. The new firmware has the same samba version except with the patch so the netgearx at the end (where x is a number) would be incremented by one to reflect the change.

Message 3 of 20
sfriis
Tutor

Re: Any plans for Samba fix for CVE-2017-7494 ?

I just upgraded to 6.7.3, but appearantly smbd is still v 4.4.9:

Welcome to ReadyNASOS 6.7.3

Last login: Fri May 26 12:58:49 2017 from xxxxx
root@xxxxxx:~# smbd --version
Version 4.4.9
root@xxxxxx:~#

Am I missing something??

Model: ReadyNAS RNDU2110|ReadyNAS Ultra 2
Message 4 of 20
ctechs
Apprentice

Re: Any plans for Samba fix for CVE-2017-7494 ?

Since this was a point release, the netgear team likely backported the fix instead of upgrading samba to the latest and greatest, to avoid breaking things.

---
ReadyNAS 516 (6.9.5) -- ReadyNAS 2100v1 (4.2.31) -- ReadyNAS Pro 4 (4.2.31)
Message 5 of 20
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?


@ctechs wrote:

Since this was a point release, the netgear team likely backported the fix instead of upgrading samba to the latest and greatest, to avoid breaking things.


Exactly. In time we'll move to a newer version of samba on OS6, but for now we backported the fix.

If you look at packages.log (or do a dpkg -l) you'll see that the netgearx at the end of the version of the samba package is incremented by one (where x is a number) compared with the logs you downloaded before updating to 6.7.3. That indicates that we've added some more patches to the samba 4.4.9 code.

Message 6 of 20
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?

Message 7 of 20
ciarpame
Tutor

Re: Any plans for Samba fix for CVE-2017-7494 ?



We've built firmware with the patch for CVE-2017-7494 for legacy models as well. Once they have undergone QA testing, I believe we plan to release those updates as well  

 

Do you have an ETA?

As for SMB2 and SMB3, we're not updating to a newer samba series on the legacy models at this time so SMB2 support would remain experimental and remain disabled. The new firmware has the same samba version except with the patch so the netgearx at the end (where x is a number) would be incremented by one to reflect the change.  


 

Does it mean that on my Readynas NV+v2 there is a buried disabled SMB2 I can enable by myself in some way via Putty? Can you point me to some helpful resource to do it? Side effects? Thank you

Message 8 of 20
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?

Legacy Sparc, x86 and ARM firmware is now available:

RAIDiator-4.1.16 (Sparc)

RAIDiator-x86-4.2.31

RAIDiator-arm-5.3.13

Message 9 of 20
Spooled
Aspirant

Re: Any plans for Samba fix for CVE-2017-7494 ?

Does this effectively render the NV+ / Duo obsolete if CIFS ( SMB) is required? 

 

NFS & AFP are both not an option for me. 

Message 10 of 20
StephenB
Guru

Re: Any plans for Samba fix for CVE-2017-7494 ?


@Spooled wrote:

Does this effectively render the NV+ / Duo obsolete if CIFS ( SMB) is required? 

 


No.  As you can see, there are patches for the NV+/Duo which backport the CVE.

Message 11 of 20
PHolder
Aspirant

Re: Any plans for Samba fix for CVE-2017-7494 ?


@Spooled wrote:

Does this effectively render the NV+ / Duo obsolete if CIFS ( SMB) is required? 

 NFS & AFP are both not an option for me. 


I would argue, that yes, the lack of bringing these devices up to SMB2 or better effectively makes them obsolete.  I have disabled SMB1 on all my Windows devices, as MS has recommended, and therefore they can no longer communicate with 5 of my 6 ReadyNAS devices, because only one of them is modern enough to be able to run OS 6.  Those same devices also cannot support drives larger than 2TB and, to me, that also leaves them being obsoleted.  Your mileage will vary, but my decision on these matters was to go with a different vendor for my NAS needs, where I have a 12 bay unit that gets weekly [security] updates and is able to run SMB 3.

 

I've done a little research about trying to get an alternate OS into the legacy NASes, but that currently doesn't seem very possible.  I really wish, if Netgear no longer wishes to support these devices, they would open source the necessary components so that the FOSS community could take over and provide support.

Message 12 of 20
StephenB
Guru

Re: Any plans for Samba fix for CVE-2017-7494 ?


@PHolder wrote:


I would argue, that yes, the lack of bringing these devices up to SMB2 or better effectively makes them obsolete. 

I read the question as being  Has the CVE been addressed on legacy NAS like the NV+ and Duo?  The answer to that question is yes.

 

There are other questions one could ask:

 

Is it safe to run an NV+ or Duo v1?

In my opinion, yes.  And I still do have both deployed as a backup NAS. 

 

The way I read MS recommendation:  (a) install their security fix for SMB-1 on all your windows systems (b) remove SMB1 if equipment on your network doesn't need it as an additional security precaution.  

 

SMB-1 remains vulnerable to man-in-the-middle attacks, so I do agree that disabling it is a worthwhile precaution.  But on a home network you should be ok as long as you don't allow SMB traffic (port 445) in through your home router - which is a bad idea anyway.   FWIW, Wannacry didn't use a MITM attack. 

 

 

Are the NV+ or Duo v1 competitive with newer NAS?

Clearly not.  They are based on a 2006 hardware design, and were replaced about 6 years ago by newer ReadyNAS.  They weren't competitive in 2011, and the performance gap has only grown.

 

 

 

Message 13 of 20
Spooled
Aspirant

Re: Any plans for Samba fix for CVE-2017-7494 ?

Competitive or not, I currently have several Duo's that are unaccessable now, even after updating the FW to v 4.1.16.

 

Coming in to work and discovering that all of my Netgear NASes are permanently inaccessible was a pretty big shock.  Refusing to enable SMB-2 so that I could transfer to a new device is also quite jarring.

 

I really liked my Duo's - but now I am looking at other vendors.

 

 

Message 14 of 20
StephenB
Guru

Re: Any plans for Samba fix for CVE-2017-7494 ?

 

@Spooled wrote:

Coming in to work and discovering that all of my Netgear NASes are permanently inaccessible was a pretty big shock.  

  


Your IT department disabled SMB1 on your office PC?


@Spooled wrote:

Refusing to enable SMB-2 so that I could transfer to a new device is also quite jarring.

 


It's not about enabling SMB2.  They'd need to implement SMB2 on that NAS in the first place.  

 

Is FTP available?  That's another way to get the data off.  

Message 15 of 20
mdgm-ntgr
NETGEAR Employee Retired

Re: Any plans for Samba fix for CVE-2017-7494 ?

It's an old long discontinued product. SMB2 performance would likely be quite poor. We do have source code for GPL software available. You can try compiling a newer samba if you want, but for Sparc I don't think it would be worth the effort.

 

Personally I did ask management for all the legacy code to be released as open source some years ago but that's not my call.

 

It's my understanding that disabling SMB1 was a suggested temporary workaround till you've patched all your Windows PCs with the fix for WannaCry. Once all your PCs are patched SMB1 could be turned back on.

Message 16 of 20
cathcam
Tutor

Re: Any plans for Samba fix for CVE-2017-7494 ?

I for one would like to thank Netgear for the OS4.x update to fix Samba issues that was recently released.
https://kb.netgear.com/000038793/RAIDiator-x86-Version-4-2-31

I understand the pro's and cons of continuing to support old hardware, and appreciate that Netgear continues to address the most important issues. I have two Netgear ReadyNAS devices, one I use, the other wakes up once per week and rsync backs up the one we use. One of these was purchased in 2008, the other was bought off ebay in 2015 after the power supply in the first failed. Netgear owes me nothing, these a great and very economical.

Message 17 of 20
PHolder
Aspirant

Re: Any plans for Samba fix for CVE-2017-7494 ?


@mdgm wrote:

As for SMB2 and SMB3, we're not updating to a newer samba series on the legacy models at this time so SMB2 support would remain experimental and remain disabled. The new firmware has the same samba version except with the patch so the netgearx at the end (where x is a number) would be incremented by one to reflect the change.


 

I'm going to keep beating this dead horse until it upgrades to SMB2:

 

https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-smbv1-in-windows-starting-this-...

 

SMB1 was pretty much already marked as deprecated when ReadyNAS was shipping the NV series as new devices...  and in a couple of months people who have one still working will find new installs of Windows won't be able to even access it...  It seems like the better customer service story would be a recompile and test cycle that adds the necessary SMB 2 (or even SMB 3) support since we already know it works well in Netgear's other products.

Message 18 of 20
StephenB
Guru

Re: Any plans for Samba fix for CVE-2017-7494 ?


@PHolder wrote:
It seems like the better customer service story would be a recompile ...

It would be a lot more work than that.  They'd need to back-port to the much older linux kernel.  Memory is another potential obstace (only 256 MB in the v1).

 

Of course we'd all love it if they did it. 

Message 19 of 20
cathcam
Tutor

Re: Any plans for Samba fix for CVE-2017-7494 ?

Don't forget running all the tests to make sure the fix doesn't break anything. Testing is the most important aspect of supporting older systems, especially in memory constrained systems.

Message 20 of 20
Top Contributors
Discussion stats
  • 19 replies
  • 17965 views
  • 6 kudos
  • 9 in conversation
Announcements