Precaution for a Potential SMB Vulnerability

Publish Time: 2017-01-26 00:00:00 UTC+8

Last Updated: 2017-01-26 12:00:00 UTC+8

Severity
Moderate
Status
Resolved

Description

Legacy Server Message Block (SMB) v1 protocol could allow a remote attacker to obtain sensitive information from affected systems.

Severity

Moderate

Mitigation

Option 1: Disable SMB v1 protocol

  • DSM 6.1

    1. Go to Control Panel > File Service > SMB > Advanced Settings and set Minimum SMB protocol as SMB2 .
  • DSM 6.0

    1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
    2. Log into DSM via SSH as “admin” and execute the following command:

      sudo /usr/bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && sudo /usr/sbin/restart smbd
  • DSM 5.2 & SRM

    1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
    2. Log into DSM via SSH as “root” and execute the following command:

      /bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && /sbin/restart smbd

Note:

  1. Executing the commands above will automatically change both the maximum and minimum SMB protocols to SMB2. If needed, the maximum SMB protocol can be modified in Control Panel.
  2. Executing the commands above will restart the smb service and stop all current SMB connections and file transfers.
  3. Certain client programs support SMB1 only, such as mount.cifs and older versions of Windows. These client programs will be disconnected once SMB1 support is turned off.
  4. Since CIFS plain text password authentication (in LDAP settings) supports SMB1 only, it will become invalid once you make the changes mentioned above.

Option 2: Turn off SMB ports via firewall

  • Part 1: Create a rule to allow an IP range or subnet access to SMB file service

    1. Under Firewall Profile, please select Edit Rules.

    2. On the top left corner, click Create to create a new firewall rule.

    3. Under Ports, please find Select from a list of build-in applications and click Select to choose an application.

    4. Find and check Windows file server and click OK.

    5. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s.

    6. Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet.

    7. Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB.

    8. Once you’ve selected an action, you can click OK.

    9. You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99.

  • Part 2: Create a rule to deny SMB access to all other IPs Repeat steps 1-4 above in Part 1 “Create a rule to allow an IP range or subnet access to SMB file service.” Under Source IP, select All to include all IP addresses.

    1. Please repeat steps 1-4 above.
    2. Under Source IP, select All to include all IP addresses.

    3. Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done.

  • After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.

  • When creating firewall rules in SRM, it is required to specify the Destination IP as SRM.

Update Availability

Not available yet.

References