Univention Bugzilla – Bug 44591
Allow configuration of SMB "min protocol" via UCR
Last modified: 2017-05-24 10:48:03 CEST
In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1.
Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting:
min protocol = SMB2
Created attachment 8848 [details]
patch proposal - copied from samba/max/protocol
*** Bug 44617 has been marked as a duplicate of this bug. ***
It would be great to have that erratum for the 4.1-4 branch as well.
added samba/client/max/protocol and samba/client/min/protocol
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1):
ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2