smb 1
Got told off the other day by IT, had uninstalled anti-virus to upgrade to 1803^H4^H5.
They asked me to reinstall asap, but I could not reach file server, since I had disabled SMBv1 forcefully... and it was running the obsolete protocol...
The Windows 10 April 2018 Update has been out for over a month now, and the rumbling of user dissatisfaction continues. This time it's networking problems for users still clinging to the venerable SMB1 protocol. Users have taken to support forums, including Microsoft's own, complaining that the latest version of Windows 10 is …
You might need to have a word with the head of your IT dept. as if a file server is being used in a work environment that doesn't support at least SMBv2 then something needs to change ASAP
Even if you disable SMBv1 on Windows 10, it will either use SMBv2 or if possible then SMBv3
"You might need to have a word with the head of your IT dept. as if a file server is being used in a work environment that doesn't support at least SMBv2 then something needs to change ASAP"
Probably including users being able to uninstall their own antivirus if they feel like it, too.
"Even if you disable SMBv1 on Windows 10, it will either use SMBv2 or if possible then SMBv3"
As Microsoft note on one of their support pages, disabling a particular version of SMB in an environment with mixed versions of Windows is a right kerfuffle -- and this really is the URL:
https://support.microsoft.com/en-gb/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
Replacing old NAS devices sounds like a good idea most of the time.
I recall working with a £x00,000 NAS device which had been written according to the CIFS/SMB standards of the time. We were dumping files generated on Windows XP systems for an OS upgrade. The official spec for SMB 2.0 -- as interpreted by the NAS vendor -- was that some extended file attributes were optional, so the vendor did not support them for SMB 2.0 file transfers. If a file with certain extended attributes was transferred to the NAS from a Windows 2008 R2 server, the file was rejected. However the file was deemed valid when transferred by SMB 1.0.
The NAS vendor suggested a very long timescale for a fix. So we turned off SMB 2.x on the intermediary Windows servers and progressed at a s-l-o-w-e-r pace.
No doubt that bug/misunderstanding is fixed, but there'll be different bugs or the need to go back in time which require SMB 1.0.
Depending on how pissed off you are, you might want to argue that the device is not fit for purpose. MS have spent about half a decade pleading with everyone to stop using it ASAP. There's no way this device is fit for purpose even now, let alone for however many years a consumer product is supposed to receive support. (Looks like 6 in the UK: https://www.which.co.uk/consumer-rights/advice/what-do-i-do-if-i-have-a-faulty-product)
Failing that, name the vendor here and we can all tell as many of our friends as possible to steer clear of the brand forever.
D-Link is one, I own their DNS-323. I am avoiding D-Link from now onwards.
That's Gemini which is actually nice hardware, but the software originally skirted GPL by not releasing working kernel sources for it. The original software was actually Debian based by the way. There was a ghastly "original kernel grafted onto a generic Debian distro" load for it a while back, but that died due to lack of maintenance.
That has now been fixed, so after a very long hiatus it should work with the latest kernels. I believe 4.17 works out of the box, there are backport patches for openwrt and Debian. As a result there will be firmware for it in the next releases (finally). I am waiting for the next LEDE release to pull mine out of the dusty drawer and put it to use - the hardware in it is actually quite good.
And whilst I'm thinking about this, if Ned Pyle really wants to see the end of SMB1 he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is, their considered expert view, not safe to connect to a network in 2018 and therefore not fit for purpose. *That*, from them, would greatly assist anyone who wants to pick a fight with vendors on this point. They could go to their Trading Standards people and say "Expert opinion is on my side here.".
"And whilst I'm thinking about this, if Ned Pyle really wants to see the end of SMB1 he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is, their considered expert view, not safe to connect to a network in 2018 and therefore not fit for purpose."
Think more or less everyone now has issued such statements. Repeatedly. For most of the last 5 years.
"he should push for MS and people like CERT to issue official statements that any device that defaults to SMB1 is [...] not safe to connect to a network"
Well, Ned works for Microsoft, and regularly tells people in his official capacity to stop using SMBv1 (eg), and US-CERT say the same. That's about as emphatic as warnings get.
If you read Ned's blog, who works for MSFT, he just about says that:
"Hi folks, Ned here again and today’s topic is short and sweet:
Stop using SMB1. Stop using SMB1. STOP USING SMB1!
In September of 2016, MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.
The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle :).
If you don’t care about the why and just want to get to the how, I recommend you review:
How to remove SMB1
The SMB1 clearinghouse
SMB1 is being removed from Windows and Windows Server
Otherwise, let me explain why this protocol needs to hit the landfill.
SMB1 isn’t safe"
ASUS are another one.
Currently shipping "top of the line" ASUS routers are being shipped with firmware that includes Samba 3.0.33, which is a decade old for crying out loud, riddled with security bugs, and supports only SMB1 (which is being deprecated everywhere, fast). And ASUS have no plans to update their current (let alone legacy) products to a modern, (more) secure version of Samba, such as Samba 4.
You can use third-party firmware alternatives for the ASUS routers that do include a more recent version of Samba 3, which would at least get you SMB2 support, but apparently the devices don't have enough flash storage to allow Samba 4 to be included.
So please, give ASUS routers a very wide berth as ASUS don't give a fsck about basic security, or their users. Alternatively, disable the outdated and insecure ASUS Samba server entirely, and use something else (Raspberry Pi3+?) for your Samba file sharing.
"So please, give ASUS routers a very wide berth as ASUS don't give a fsck about basic security, or their users. "
About 20 years ago, ASUS responded to a plethora of customer complaints about problems with their TNT2 video cards by shutting down their entire customer forum system. This caused me to set a policy of "never deal with ASUS"
More recent interactions caused by a vendor who sold us rebadged ASUS servers showed that the attitude hasn't changed (when the stuff arrived I expressed my misgivings and was overruled, things quickly turned to shit from there on the support front as the vendor was left high and dry by ASUS.)
"Was wondering why my NAS wasn't working. Never mind, I'll just go upgrade to the latest firmware. Oh, there isn't any and they're not planning the upgrade? For this device still in shops? Fk off."
SMB2 came out in 2006. I am amazed that anyone would buy a NAS in the last decade that didn't support it.
My experience has been that the people selling such rubbish are severely clue-deficient, and take the labelling on trust, which as often as not never mentions SMB version support. SMB is SMB is SMB.
So it's a combination of piss-poor documentation from the manufacturer, and low-paid sales staff.
For most of this century the well-informed salesman has been a dying breed, but at least I can download the manuals. But does that help?
Last week I was working on an old Dell workstation, it is good kit and I got a good deal. But the manual (and Dell support) are inadequate on how to fit anything in the front-of-case drive bays. Problem sorted, but it doesn't impress.
Given that the protocol has been depricated for nearly 2 decades, it is astonishing how many products still use it as standard / don't support SMBv2 or SMBv3!
At a previous employer, we had it the other way round, we disabled SMBv1 on all servers, only for the Minolta scanners to stop working, because the scan-to-folder option only supported SMBv1, and they were new (less than 2 years old) printers!
"Oh, there isn't any and they're not planning the upgrade? For this device still in shops? Fk off."
Add Netgear to the list. We bought had some of their switches foisted on us recently by sales. Turns out you can't remove the vlan 1 untag on all the ports or something daft along those lines.
Last firrmware update was 2013 and they are still being sold.
Never again.
I don't think it was "fecked up by design" - i.e. the original intention in the design being to feck it up.
"The design was fecked-up" is perhaps what you meant.
Then again, that's pretty standard for any networking protocol designed at the same time, when security was, well, not considered at all. SMTP probably stands out most of all :-) (although that does of course predate SMB by some considerable margin)
It's called "being expressive" by use of punctuation, capitalization, etc.. I think it is MUCH better than "monotone" and puts the emphasis where _I_ want it. (NOT putting emphasis on the right words changes its meaning, JUST a bit)
facepalm icon for various reasons.
Why not use the tools that come with the silver badge next to your name? Things like bold, italics, and underlining can add just as much emphasis in the same places and make your posts easier to read at the same time. You have earned the privileges and no one will think less of you for using them.
On the other hand, by insisting on using caps to accomplish your goals you are coming across like a guy that thinks the volume of the message makes it a better argument. People will discount what you have to say because of it. Or worse, just ignore you.
"Why not just patch the vulnerability rather than disabling it?"
Microsoft HAVE patched all the SMBv1 OS security vulnerabilities to date in supported OSs - and in quite a few that were no longer supported.
There is however an unpatched denial of service issue called SMBLoris:
http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html
“The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”