Bug 44591 - Allow configuration of SMB "min protocol" via UCR
Allow configuration of SMB "min protocol" via UCR
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.2
Other Linux
: P5 normal with 1 vote (vote)
: UCS 4.2-0-errata
Assigned To: Felix Botner
Arvid Requate
: 44617 (view as bug list)
Depends on:
Blocks: 44643 44644 44646
  Show dependency treegraph
Reported: 2017-05-13 21:58 CEST by Michael Grandjean
Modified: 2017-05-24 10:48 CEST (History)
9 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017051321000422, 2017051721000059
Bug group (optional): External feedback, Security
Max CVSS v3 score:
best: Patch_Available+

patch proposal - copied from samba/max/protocol (3.57 KB, patch)
2017-05-13 22:07 CEST, Michael Grandjean
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2017-05-13 21:58:07 CEST
In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1.

MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx
CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting:

min protocol = SMB2
Comment 1 Michael Grandjean univentionstaff 2017-05-13 22:07:05 CEST
Created attachment 8848 [details]
patch proposal - copied from samba/max/protocol
Comment 2 Florian Best univentionstaff 2017-05-16 17:24:26 CEST
*** Bug 44617 has been marked as a duplicate of this bug. ***
Comment 3 Stephan Hendl 2017-05-18 08:59:11 CEST
It would be great to have that erratum for the 4.1-4 branch as well.
Comment 4 Felix Botner univentionstaff 2017-05-22 13:26:45 CEST
added samba/min/protocol
univention-samba r79495
univention-samba.yaml r79496
Comment 5 Felix Botner univentionstaff 2017-05-22 15:15:26 CEST
added samba/client/max/protocol and samba/client/min/protocol
univention-samba.yaml r79513
univention-samba r79512
Comment 6 Arvid Requate univentionstaff 2017-05-22 20:31:19 CEST
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1):

ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2
Comment 7 Janek Walkenhorst univentionstaff 2017-05-24 10:48:03 CEST