Univention Bugzilla – Bug 44643
Allow configuration of SMB "min protocol" via UCR
Last modified: 2017-06-15 17:58:18 CEST
+++ This bug was initially created as a clone of Bug #44591 +++ In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1. MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145 Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting: min protocol = SMB2
added samba/min/protocol univention-samba4 r79487 univention-samba4.yaml
added samba/client/max/protocol and samba/client/min/protocol univention-samba4.yaml r79507 univention-samba4 r79506
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1): ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2
Hi Felix and Arvid Thank you for the integration. In addition I've re-read in smb.conf(5) that usually one should not need to raise the "client min protocol" version: "Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol." This seems to be followed by at least 2 NAS appliance systems which I have cross-checked: Qnap's current QTS 4.3 (using Samba 4.4.9 on the particular model) and FreeNAS 9.10.2-U3 (Samba 4.5.5). Both management UIs offer an option to raise the minimal protocol version but samba-tool testparm -v eventually reveals they "only" raise the server min version.
<http://errata.software-univention.de/ucs/4.2/42.html>