Bug 44643 – Allow configuration of SMB "min protocol" via UCR

Bug 44643 - Allow configuration of SMB "min protocol" via UCR


Summary:	Allow configuration of SMB "min protocol" via UCR

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Felix Botner
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:	44591 44644
Blocks:	44646
	Show dependency tree / graph

Reported:	2017-05-22 12:52 CEST by Felix Botner
Modified:	2017-06-15 17:58 CEST (History)
CC List:	10 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017051321000422, 2017051721000059
Bug group (optional):	External feedback, Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2017-05-22 12:52:58 CEST

+++ This bug was initially created as a clone of Bug #44591 +++

In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1.

MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx
CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting:

min protocol = SMB2

Comment 1 Felix Botner

2017-05-22 13:16:18 CEST

added samba/min/protocol univention-samba4 r79487
univention-samba4.yaml

Comment 2 Felix Botner

2017-05-22 14:55:43 CEST

added samba/client/max/protocol and samba/client/min/protocol

univention-samba4.yaml r79507
univention-samba4 r79506

Comment 3 Arvid Requate

2017-05-22 20:37:32 CEST

Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1):

ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2

Comment 4 Mathieu Simon 2017-05-22 21:29:44 CEST

Hi Felix and Arvid

Thank you for the integration.

In addition I've re-read in smb.conf(5) that usually one should not need to raise the "client min protocol" version: "Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol."

This seems to be followed by at least 2 NAS appliance systems which I have cross-checked: Qnap's current QTS 4.3 (using Samba 4.4.9 on the particular model) and FreeNAS 9.10.2-U3 (Samba 4.5.5). 

Both management UIs offer an option to raise the minimal protocol version but samba-tool testparm -v eventually reveals they "only" raise the server min version.

Comment 5 Janek Walkenhorst

2017-06-15 17:58:18 CEST

<http://errata.software-univention.de/ucs/4.2/42.html>