× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: SMB 1.0 (Given Wanna Cry)

Platypus69
Luminary

SMB 1.0 (Given Wanna Cry)

Out of curiosity in the latest 6.7.1 firmware is SMB 1.0 disabled?

 

Can we control SMB so that it ONLY used 3.0 or 2.0-3.0 for example?

Model: RN31600|ReadyNAS 300 Series 6- Bay
Message 1 of 22

Accepted Solutions
mdgm-ntgr
NETGEAR Employee Retired

Re: SMB 1.0 (Given Wanna Cry)

The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.

 

The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x

 

Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.

 

I think SMB2 support is turned off by default on all those models.

 

OS6 currently uses samba 4.4.x, a much newer samba series.

 

I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.

View solution in original post

Message 17 of 22

All Replies
ctechs
Apprentice

Re: SMB 1.0 (Given Wanna Cry)

I'm not sure what disabling SMB1 on a ReadyNAS would accomplish as far as preventing the spread or activation of this malware. I've seen no indication that Samba is vulnerable, and it would break compatibility.

Message 2 of 22
Platypus69
Luminary

Re: SMB 1.0 (Given Wanna Cry)

Therein lies the problem...

 

There was no need for Microsoft to have installed SMB 1.0 for modern versions of Windows. And have it enabled.

 

Especially for new installs. And for non-corporate users.

 

Yet they did so for "backward compatibility"

 

A better story, to have reduced the surface area of attack, was to get people that need it to install it explicitly.

 

I was surprised that SMB 1.0 was still part of Windows 10 which was freshly installed a couple of months ago.

 

So my question was related to whether SMB 1.0 is supported on my RN316 and whether I can turn it off.

 

All my clients use SMB 3.0, so there is no need for SMB 1.0. It's such an ancient version of the protocol.

 

WannaCry is an agrument against "maintaining backward compatibility forever", or having old protocols enabled by default.

 

I would rather only support SMB 3.0. And then be forced to upgrade clients to a later version of SMB 1.0, if I desire.

 

Thus the question. I could not find any configuration for the SMB version anywhere.

 

As opposed to stepping down protocol versions....

 

Same example can be made with browsers that try TLS 1.2 then TLS 1.1 then TLS 1.0 then SSL 3.0 then SSL 2.0 then SSL 1.0.

 

Time to move on...

 

Message 3 of 22
ctechs
Apprentice

Re: SMB 1.0 (Given Wanna Cry)

You can configure samba to only allow SMB3 connections. I don't THINK there is a way to do this in the GUI at this point. Adding the following to /etc/frontview/samba/smb.conf.overrides would seem to achieve what you're after:

 

min protocol = SMB3

 

There is also an app called SMB Plus that lets you do other things to tighten down SMB security if you are so inclined.

Message 4 of 22
ctechs
Apprentice

Re: SMB 1.0 (Given Wanna Cry)

Actually, for current versions of Samba the syntax looks like it should be:

 

server min protocol = SMB3

Message 5 of 22
Retired_Member
Not applicable

Re: SMB 1.0 (Given Wanna Cry)

Installing SMB plus will force SMB3 to be used as default to my knowledge.

Message 6 of 22
Platypus69
Luminary

Re: SMB 1.0 (Given Wanna Cry)

Thanks all.

 

Am using latest version of SMB Plus (1.0.6).

 

It says:


ReadyNAS supports SMB protocol 3.0 by default. Some Windows applications will not work with SMB 3. For example, Microsoft System Image Backup for Windows 8/Server 2012 will not work with anything higher than SMB 2.0. Adjust the maximum protocol version ReadyNAS will support by changing the setting below.
New SMB connections will adopt the new settings. Establish connections will remain connected as the previous setting. To force existing connections to change settings, the ReadyNAS or the client should be restarted.


 

So it would be good if there was also a Minimum Protocol Version option.

 

 

 

Message 7 of 22
sotrack
Luminary

Re: SMB 1.0 (Given Wanna Cry)

Disable SMBv1 and enable SMBv2 on your PC (Windows7 or Windows8 or  Windows10, 32-bit or 64-bit.):                    
a) Open command prompt with administrator rights (press "Win" button, type “cmd”, right-click "cmd.exe" and select "Run as administrator"
b) copy the text below, paste it into command prompt and press Enter

  

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v SMB1 /t reg_dword /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v SMB2 /t reg_dword /d 1 /f
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
 

 

c) reboot PC

Message 8 of 22
Platypus69
Luminary

Re: SMB 1.0 (Given Wanna Cry)

Message 9 of 22
sotrack
Luminary
cathcam
Tutor

Re: SMB 1.0 (Given Wanna Cry)

Can anyone comment on Readynas 4.2 and SMBv2/v3 support?

EDIT: I guess more accurately I should have said RAIDiator-x86 Version 4.2.30

 

I have a Readynas NVX and an NV+ that are used as file servers and switching off SMBv1 on Windows 10 has made them inaccessible. 

Message 11 of 22
Platypus69
Luminary

Re: SMB 1.0 (Given Wanna Cry)

From my understanding you should be fine with Windows 10. Obviously the recommendation is to patch it to latest.

 

From Microsoft (https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-s...)

"The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack."

 

What I actually did was turn off my NAS. Did not want to risk some other vector hitting them.

 

So will turn it back on until this "all blows over".

 

Anyway, hope the above URL helps.

Message 12 of 22
cathcam
Tutor

Re: SMB 1.0 (Given Wanna Cry)

Thanks, all our Windows systems are patched, but the general recommendation shown here and elsewhere is to turn off SMBv1 in addition to patching. Turning off the NAS seems extreme and pointless in this instance since the NAS runs a variant of Linux and the current Wannacry/wanncrypt can ONLY be spread by and to Windows Systems.

 

There is no question that SMBv1 systems will likely to subject to some other attack, so turning it off on Windows systems is the best route to go. I'm not a RAIDiator expert and am not seeing an option to move it to v2/v3. Thanks for your reply though.

Message 13 of 22
ctechs
Apprentice

Re: SMB 1.0 (Given Wanna Cry)

I believe RAIDiator 4.x is limited to SMB v1. ReadyNAS OS 6.7 has SMB v3 support.

Message 14 of 22
cathcam
Tutor

Re: SMB 1.0 (Given Wanna Cry)

Interestingly it must support something other than SMB v1. I robooted the ReadyNas after enabling the NFS service, and just for laughs thought I'd try to see if I could access from explorer, and I can. I was expecting to have to enable NFS on WIN10, and as you can see from here, neither are enabled. Interesting.
smbv1.jpg

Message 15 of 22
rjwerth
Luminary

Re: SMB 1.0 (Given Wanna Cry)

I've tried disabling SMB1 on a W10 laptop and doing that causes ReadyNAS servers to dissappear from the Network Computers window.  Turning it on makes everything show up nicely.

 

As much as I'd love to turn off SMB1, it doesn't look like you can simply do that w/o consequences.

Message 16 of 22
mdgm-ntgr
NETGEAR Employee Retired

Re: SMB 1.0 (Given Wanna Cry)

The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.

 

The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x

 

Experimental SMB2 support was added in samba 3.5.x, but really you should be using a newer version of samba to use it. 3.6 isn't much newer. I'd be wanting to use newer than that. To my knowledge we don't have any plans to update samba on these old OSes.

 

I think SMB2 support is turned off by default on all those models.

 

OS6 currently uses samba 4.4.x, a much newer samba series.

 

I've passed on the feature request to be able to disable SMB1 support from the GUI for OS6 devices.

Message 17 of 22
cathcam
Tutor

Re: SMB 1.0 (Given Wanna Cry)

If indeed you can't get to your ReadyNAS servers with SMB1 turned off, then you must have something else causing the problem. 

 

An alternative, if you can't get thi to work, is to enable NFS on the ReadyNAS and on the WIN10 systems. Thats a better alternative than leaving SMB1 active. While the patched Windows systems are protected against the #Wannacry there is every likelyhood there will be derivatives.

Message 18 of 22
PHolder
Aspirant

Re: SMB 1.0 (Given Wanna Cry)

> The latest RAIDiator 4.1.x and RAIDiator-arm uses samba 3.5.x. The latest RAIDiator-x86 4.2.x uses samba 3.6.x

> To my knowledge we don't have any plans to update samba on these old OSes.

 

Give the recent CVE ( CVE-2017-7494 ) that appears wormable, it seems to me that Netgear SHOULD be patching any version of SMB 3.5 or higher, and it would be great if you did patch SMB2 or better support into these older devices (of which I have 6.)

 

https://isc.sans.edu/forums/diary/Critical+Vulnerability+in+Samba+from+350+onwards/22452/

 

Model: ReadyNAS-NV+|ReadyNAS NV+,ReadyNAS RNDP600U|ReadyNAS Ultra 6 Plus Chassis only,RN10400|ReadyNAS 100 Series 4-Bay (Diskless)
Message 19 of 22
mdgm-ntgr
NETGEAR Employee Retired

Re: SMB 1.0 (Given Wanna Cry)

We have a KB article: Security Advisory for CVE-2017-7494, Samba Remote Code Execution

 

As I explained in Any plans for Samba fix for CVE-2017-7494 ? we've backported the fix for that CVE to the samba versions we're using. I don't believe there are any current plans to backport newer samba series to our legacy OSes.

 

We've already released ReadyNAS OS 6.7.4 for our OS6 devices. The releases for the other devices are with QA.

Message 20 of 22
PHolder
Aspirant

Re: SMB 1.0 (Given Wanna Cry)

mdgm wrote:

The Wanna Cry issue used an attack vendor to attack Windows machines that hadn't had a security update installed. Our NAS units don't run Windows.

 

Don't be pedantic.  No one suggested that ReadyNAS devices ran Windows.  The issue is that the recommended fix for the WannaCry was to disable SMB 1.0 and this makes legacy ReadyNAS devices that don't support SBM 2 or greater unreachable by Windows hosts on which this advice has been followed.

Message 21 of 22
StephenB
Guru

Re: SMB 1.0 (Given Wanna Cry)

@PHolder - can we please keep this issue to one thread?


PHolder wrote: 

The issue is that the recommended fix for the WannaCry was to disable SMB 1.0 and this makes legacy ReadyNAS devices that don't support SBM 2 or greater unreachable by Windows hosts on which this advice has been followed.


My reply to that is on your other thread;  https://community.netgear.com/t5/Using-your-ReadyNAS/Any-plans-for-Samba-fix-for-CVE-2017-7494/m-p/1...

 

The specific fix for wannacry is to install the security patches (windows and elsewhere).  That doesn't mean you shouldn't disable SMB1 if you can, since it is still vulnerable to man-in-the-middle attacks.  However in my view, MITM attacks are very unlikely on home networks - though they do occur on compromised enterprise networks and over-the-internet.  If you keep port 445 closed in your home router, you shouldn't see any MITM threats with SMB.

 

FWIW, Microsoft hasn't added SMB2 or better support to Windows XP either.  And they won't.

 

Message 22 of 22
Top Contributors
Discussion stats
  • 21 replies
  • 41230 views
  • 7 kudos
  • 9 in conversation
Announcements