Univention Bugzilla – Bug 44646
Allow configuration of SMB "min protocol" via UCR
Last modified: 2017-05-24 11:10:29 CEST
+++ This bug was initially created as a clone of Bug #44643 +++ +++ This bug was initially created as a clone of Bug #44591 +++ In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1. MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145 Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting: min protocol = SMB2
added samba/min/protocol univention-samba4 r79489 univention-samba4.yaml r79490
Attachment 8854 [details] from Bug #44617 actually also does a more fine granular ability to set up the client/server protocol version settings. But this might not be needed?!
added samba/client/max/protocol and samba/client/min/protocol univention-samba4.yaml r79507 univention-samba4 r79506
(In reply to Felix Botner from comment #3) > added samba/client/max/protocol and samba/client/min/protocol > > univention-samba4.yaml r79507 > univention-samba4 r79506 nope, wrong bug univention-samba4.yaml r79510 univention-samba4 r79509
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1): ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2
<http://errata.software-univention.de/ucs/4.1/423.html>