Enabling newer versions of SMB (due to WannaCry)

1,433 views
Skip to first unread message

Göran Roseen

unread,
May 15, 2017, 9:52:52 AM5/15/17
to Alt-F
One side effect of the WannaCry worm is that a lot of people disable SMB v1 (and sometimes also v2) on their Windows machines.

After this happened to me, I noticed that I could no longer access the shares on my DNS-323.

Looking into smb.conf, I see that the parameter "max protocol" is "NT1" which equals to SMB v1.
The documentation states that: "Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol."

I feel very much inclined the clear this setting, and perhaps to also set "min protocol" to at least SMB2.

But this setting is not changable from the ALT-F UI, I have to use the Swat UI.
Will the setting be persisted anyway, or will I have to do that manually?

I have only the on-flash samba installed (ALT-F 0.1RC5), is there a need to install the on-disk package?

Is there anything else that I need to think about before I start tweeking...

Sincerely,
Göran Roseen

João Cardoso

unread,
May 15, 2017, 12:51:23 PM5/15/17
to Alt-F


On Monday, 15 May 2017 14:52:52 UTC+1, Göran Roseen wrote:
One side effect of the WannaCry worm is that a lot of people disable SMB v1 (and sometimes also v2) on their Windows machines.

I don't think that to be the solution, as a lot of NAS and other embedded devices (routers, printers, POS, toasters...) uses SMB1.

As far as I know, samba is not susceptible to the MS-Win SMB1 weakness, as thus the virus can't get into those devices and, as its CPU is arm and not x86, the virus code can't be executed. I.e., arm-based samba devices can't be the entry point or source of the virus infection.

But of course, if a PC is already infected and connected to the network with NAS mapped drives, files in the NAS can be virus encrypted.
I'm not sure what MS patches do, if they correct the SMB1 weakness of just disable SMB1. I guess that they fix the weakness, as that is what makes sense and avoids services disruption on large installations that rely on SMB1.

Quote: The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

I have one old Vista PC, no tweaking at all, and I let Windows Update apply all MS-supplied patches on it and it still accepts SMB1.

jcard@silver:~> smbclient --max-protocol=NT1 //mono/Public
Enter jcard's password: 
OS=[Windows Vista (TM) Business 6002 Service Pack 2] Server=[Windows Vista (TM) Business 6.0]
smb: \>


Notice that MS even extraordinarily distributed a patch for Vista and XP, which are not supported anymore:

Quote: Patches are now available for the 16-year-old Windows XP, Windows XP Embedded (which is still used in things like ATMs and point-of-sale systems), and Windows Server 2003. It's an extraordinary move by Microsoft, but one that was clearly justified. Patches

So I think that as long as all MS-Win patches are applied, there is no need to disable SMB1.

That said, if you are in RC5, you can't have SMB2, only SMB1 (NT1). You have to upgrade to the RC6 snapshot and enable SMB2.


After this happened to me, I noticed that I could no longer access the shares on my DNS-323.

Looking into smb.conf, I see that the parameter "max protocol" is "NT1" which equals to SMB v1.
The documentation states that: "Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol."

I feel very much inclined the clear this setting, and perhaps to also set "min protocol" to at least SMB2.

But this setting is not changable from the ALT-F UI, I have to use the Swat UI.
Will the setting be persisted anyway, or will I have to do that manually?

If you use swat, don't use the Samba webUI and shares settings won't be changed. But I think that the RC5 Samba webUI don't change user added settings in the Global section, but you can try that yourself.
 

I have only the on-flash samba installed (ALT-F 0.1RC5), is there a need to install the on-disk package?

No, it is the same samba-3.5.22, SMB1 only. SMB2 is only available on samba-3.6.25, which is on RC6.

Göran Roseen

unread,
May 15, 2017, 2:22:40 PM5/15/17
to Alt-F

Thanks for a really quick answer!

Just to clarify, my IT department decided to turn off SMb1, not because it fixes the vulnerability used by WannaCry (since the MS patch does that), but because this is the latest in a long row of vulnerabilities in SMB1 and it does not make sense in a corporate environment (at least not ours) to keep it enabled.

And since my work computer stopped using SMB1, fixing my NAS boxes felt like the natural way for me to go.

Perhaps I'll try RC6, I have had good experiences with upgrading Alt-F in the past.

Sincerely,
Göran Roseen
Reply all
Reply to author
Forward
0 new messages