Precaution for a Potential SMB Vulnerability
Publish Time: 2017-01-26 00:00:00 UTC+8
Last Updated: 2017-01-26 12:00:00 UTC+8
- Severity
- Moderate
- Status
- Resolved
Description
Legacy Server Message Block (SMB) v1 protocol could allow a remote attacker to obtain sensitive information from affected systems.
Severity
Moderate
Mitigation
Option 1: Disable SMB v1 protocol
DSM 6.1
- Go to Control Panel > File Service > SMB > Advanced Settings and set Minimum SMB protocol as SMB2 .
DSM 6.0
- Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
Log into DSM via SSH as “admin” and execute the following command:
sudo /usr/bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && sudo /usr/sbin/restart smbd
DSM 5.2 & SRM
- Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
Log into DSM via SSH as “root” and execute the following command:
/bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && /sbin/restart smbd
Note:
- Executing the commands above will automatically change both the maximum and minimum SMB protocols to SMB2. If needed, the maximum SMB protocol can be modified in Control Panel.
- Executing the commands above will restart the smb service and stop all current SMB connections and file transfers.
- Certain client programs support SMB1 only, such as mount.cifs and older versions of Windows. These client programs will be disconnected once SMB1 support is turned off.
- Since CIFS plain text password authentication (in LDAP settings) supports SMB1 only, it will become invalid once you make the changes mentioned above.
Option 2: Turn off SMB ports via firewall
Part 1: Create a rule to allow an IP range or subnet access to SMB file service
Under Firewall Profile, please select Edit Rules.
On the top left corner, click Create to create a new firewall rule.
Under Ports, please find Select from a list of build-in applications and click Select to choose an application.
Find and check Windows file server and click OK.
Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s.
Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet.
Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB.
Once you’ve selected an action, you can click OK.
You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99.
Part 2: Create a rule to deny SMB access to all other IPs Repeat steps 1-4 above in Part 1 “Create a rule to allow an IP range or subnet access to SMB file service.” Under Source IP, select All to include all IP addresses.
- Please repeat steps 1-4 above.
Under Source IP, select All to include all IP addresses.
Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done.
After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.
When creating firewall rules in SRM, it is required to specify the Destination IP as SRM.
Update Availability
Not available yet.
References