Bug 44646 - Allow configuration of SMB "min protocol" via UCR
Allow configuration of SMB "min protocol" via UCR
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 44591 44643 44644
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-22 12:54 CEST by Felix Botner
Modified: 2017-05-24 11:10 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017051321000422, 2017051721000059
Bug group (optional): External feedback, Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2017-05-22 12:54:29 CEST
+++ This bug was initially created as a clone of Bug #44643 +++

+++ This bug was initially created as a clone of Bug #44591 +++

In consideration of WannaCry(pt)/EternalBlue and MS17-010/CVE-2017-0145, there's an urge to disable SMBv1.

MS17-010: https://technet.microsoft.com/en-US/library/security/ms17-010.aspx
CVE-2017-0145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
Technet on WannaCry(pt): https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Samba does not seem to be vulnerable to CVE-2017-0145. However, we should make it easy to disable SMBv1. AFAIK this can be achieved by setting:

min protocol = SMB2
Comment 1 Felix Botner univentionstaff 2017-05-22 13:17:11 CEST
added samba/min/protocol univention-samba4 r79489
univention-samba4.yaml r79490
Comment 2 Florian Best univentionstaff 2017-05-22 14:22:00 CEST
Attachment 8854 [details] from Bug #44617 actually also does a more fine granular ability to set up the client/server protocol version settings. But this might not be needed?!
Comment 3 Felix Botner univentionstaff 2017-05-22 14:54:48 CEST
added samba/client/max/protocol and samba/client/min/protocol

univention-samba4.yaml r79507
univention-samba4 r79506
Comment 4 Felix Botner univentionstaff 2017-05-22 14:59:31 CEST
(In reply to Felix Botner from comment #3)
> added samba/client/max/protocol and samba/client/min/protocol
> 
> univention-samba4.yaml r79507
> univention-samba4 r79506

nope, wrong bug

univention-samba4.yaml r79510
univention-samba4 r79509
Comment 5 Arvid Requate univentionstaff 2017-05-22 20:31:05 CEST
Ok works. I added a warning note to the advisory that raising samba/min/protocol also requires raising samba/client/max/protocol (default: NT1):

ucr set samba/min/protocol=smb2 samba/client/max/protocol=smb2
Comment 6 Janek Walkenhorst univentionstaff 2017-05-24 11:10:29 CEST
<http://errata.software-univention.de/ucs/4.1/423.html>