NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

PHolder's avatar
PHolder
Aspirant
May 25, 2017
Solved

Any plans for Samba fix for CVE-2017-7494 ?

I posted elsewhere about this, but CVE-2017-7494 NEEDs to be patched on any device still in operation, and I think that includes the older, technically out of support models that I have 6 of.   Wit...
CVE-2017-7494
File Sharing
Other Discussions
Security
SMB
WannaCry
PHolder's avatar
PHolder
Aspirant
Jun 06, 2017
Spooled wrote:

Does this effectively render the NV+ / Duo obsolete if CIFS ( SMB) is required? 

 NFS & AFP are both not an option for me. 

I would argue, that yes, the lack of bringing these devices up to SMB2 or better effectively makes them obsolete.  I have disabled SMB1 on all my Windows devices, as MS has recommended, and therefore they can no longer communicate with 5 of my 6 ReadyNAS devices, because only one of them is modern enough to be able to run OS 6.  Those same devices also cannot support drives larger than 2TB and, to me, that also leaves them being obsoleted.  Your mileage will vary, but my decision on these matters was to go with a different vendor for my NAS needs, where I have a 12 bay unit that gets weekly [security] updates and is able to run SMB 3.

 

I've done a little research about trying to get an alternate OS into the legacy NASes, but that currently doesn't seem very possible.  I really wish, if Netgear no longer wishes to support these devices, they would open source the necessary components so that the FOSS community could take over and provide support.

StephenB's avatar
StephenB
Guru - Experienced User
Jun 06, 2017
PHolder wrote:

I would argue, that yes, the lack of bringing these devices up to SMB2 or better effectively makes them obsolete. 

I read the question as being  Has the CVE been addressed on legacy NAS like the NV+ and Duo?  The answer to that question is yes.

 

There are other questions one could ask:

 

Is it safe to run an NV+ or Duo v1?

In my opinion, yes.  And I still do have both deployed as a backup NAS. 

 

The way I read MS recommendation:  (a) install their security fix for SMB-1 on all your windows systems (b) remove SMB1 if equipment on your network doesn't need it as an additional security precaution.  

 

SMB-1 remains vulnerable to man-in-the-middle attacks, so I do agree that disabling it is a worthwhile precaution.  But on a home network you should be ok as long as you don't allow SMB traffic (port 445) in through your home router - which is a bad idea anyway.   FWIW, Wannacry didn't use a MITM attack. 

 

 

Are the NV+ or Duo v1 competitive with newer NAS?

Clearly not.  They are based on a 2006 hardware design, and were replaced about 6 years ago by newer ReadyNAS.  They weren't competitive in 2011, and the performance gap has only grown.

 

 

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More