SMB1 Vulnerabilities: How do they affect NetApp’s Data ONTAP?

Google SMBv1 vulnerability, and you’ll get a ton of hits. There’s a reason for this.

SMB1 is the devil!

waterboy-smb1.jpg

But seriously, there are some major security holes in the protocol.

For a good rundown, check out the new NetApp CIFS/SMB TME Chris Hurley’s blog:

http://averageguyx.blogspot.com/2017/03/smb1-is-baaaaaad.html

This is in addition to the limitations of SMB1, such as lack of resiliency for network loss, lack of durable handles and overall performance and chattiness. There are many good reasons why Microsoft has decided to deprecate SMB1 in favor of newer protocols. SMB owner at Microsoft, Ned Pyle (@NerdPyle), gives a plethora of impassioned reasoning in his TechNet blog “Stop using SMB1!

So, there we are. SMB1 is bad, mmkay?

How does SMB1’s devil status affect NetApp’s ONTAP operating systems?

For the official NetApp statement, see this KB:

https://kb.netapp.com/support/s/article/NTAP-20170515-0001

This question comes up a bit here at NetApp, since security scanners will throw bells, whistles and alarms whenever SMB1 is detected in an environment. What follows is:

  • Does SMB1 in ONTAP have the same vulnerabilities?
  • Can I disable SMB1 in ONTAP?
  • If I can’t disable it, can I block it?

The good news is, the main security vulnerabilities that plague SMB1 in Windows generally don’t affect ONTAP (such as 0-day), because ONTAP isn’t a Windows client. It’s using a proprietary, custom built CIFS/SMB stack (akin to Samba). Thus, the vulnerabilities that impact Windows don’t impact ONTAP.

Note: I can’t take all the credit for the information in this blog. That credit goes to John Lantz (CIFS TME at NetApp), as well as various CIFS/SMB engineering resources here.

Can I disable SMB1 in ONTAP?

While the vulnerabilities don’t necessarily affect ONTAP, the security scanners still are triggering alarms and managers are still wanting the red X’s to go away.

scan

As a result, people want to just turn it off in ONTAP, especially since they aren’t currently using it in their environments (hopefully).

The good news is that ONTAP is in the process of deprecating SMB1. The bad news? It’s still there.

However, in ONTAP 9.2, NetApp introduced a new CIFS option to disable SMB1 in advanced privilege!

cluster::> set advanced
cluster::*> cifs options modify -vserver DEMO -smb1-enabled false
 [-smb1-enabled {true|false}] - Enable SMB1 Protocol (privilege: advanced)
 This optional parameter specifies whether the CIFS server negotiates the SMB 1.0 version of the CIFS protocol. The default value for this parameter is true.

If you need to disable SMBv1 now in ONTAP, you’d need to be on ONTAP 9.2.

We also have the ability to control what SMB version is used with domain controllers for authentication. In systems running ONTAP 7-mode, use the following option to enable SMB2.

cifs.smb2.client.enable

In systems running clustered ONTAP, starting in ONTAP 8.3.2P5, you can disable SMB1 connections to the DC, as well as enabling SMB2.

[-smb1-enabled-for-dc-connections {false|true|system-default}] - SMB1 Enabled for DC Connections
 This parameter specifies whether SMB1 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default.

SMB1 Enabled For DC Connections can be one of the following:
o false - SMB1 is not enabled.
o true - SMB1 is enabled.
o system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB1 is enabled.

[-smb2-enabled-for-dc-connections {false|true|system-default}] - SMB2 Enabled for DC Connections
 This parameter specifies whether SMB2 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default.

SMB2 Enabled For DC Connections can be one of the following:
o false - SMB2 is not enabled.
o true - SMB2 is enabled.
o system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB2 is not enabled.

Use the following command to do that:

cifs security modify -vserver DEMO -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true

If I can’t disable it in ONTAP, can I block it?

Technically, you *could* block the SMB1 ports. However, if you block ports that SMB2 also needs (such as 445), you’d be in trouble.

The official recommendation from Microsoft is a combination of disabling SMB1 on clients (you could handle this via Group Policy), as well as blocking ports on *external* facing interfaces. In other words, don’t allow SMB outside of the firewall.

Here’s the official link:

https://technet.microsoft.com/en-us/library/cc766392%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

To disable SMB1 on the client:

https://support.microsoft.com/en-us/kb/2696547

Inside your firewall, you shouldn’t need the following ports, so block away:

  • UDP/137 (NetBIOS name service)
  • UDP/138 (NetBIOS datagram service)
  • TCP/139 (NetBIOS session service)

In some cases, you won’t be able to rid yourself entirely of SMB1. Remember that $30k printer/copier/scanner that you bought 10 years ago that was cool because you could scan directly to a SMB share? Yeah…. that’s probably still using SMB1. Check with your scanner/copier vendor to see if they have any software updates. Otherwise, you may need to disable SMB1 on the copier/scanner, or budget for a new one.

copier

For official NetApp statement on SMB1, check out this TR, starting on page 4:

http://www.netapp.com/us/media/tr-4543.pdf

Also, check out Episode 95 of the Tech ONTAP podcast, where we discuss WannaCry and Petya!

https://m.soundcloud.com/techontap_podcast/episode-95-quarterly-security-update-wannacry-and-petya

Advertisements

17 thoughts on “SMB1 Vulnerabilities: How do they affect NetApp’s Data ONTAP?

  1. Hi Justin.

    are you sure for the 7-mode options? “cifs.smb2.client.enable” doesnt exist in 8.2.3p3
    I have just this options in advanced mode:
    cifs.signing.enable on
    cifs.smb2.enable on
    cifs.smb2.signing.required off
    cifs.smb2_1.branch_cache.enable off

    Like

    • What happens when you type:

      filer> options cifs.smb2.client.enable

      Sometimes options are hidden from view by default unless set manually.

      For example, that option exists in a filer running 7.3.2:

      filer*> version
      NetApp Release 7.3.2: Thu Oct 15 05:59:52 PDT 2009
      filer*> options cifs.smb2
      cifs.smb2.client.enable off

      Like

    • Metrocluster doesn’t matter here. Also, if the option is in 7.3, it’s definitely in 8.2.x. What did you see when you explicitly typed the option in the CLI like I mentioned in the previous comment?

      Like

  2. 8.3.2P9 here I dont see this option cifs options modify -vserver vservname -smb1-enabled-for-dc-connections false

    Error: invalid argument “-smb1-enabled-for-dc-connections”

    Like

  3. I found it:
    vserver cifs security modify -vserver myvserver -smb1-enabled-for-dc-connections false

    It seems to have some effect (I can now do a vserver cifs server create), but I am not sure if its entirely fixed things as:
    cifs domain discovered-servers show

    returns most of the DCs as undetermined.

    I am unclear if the windows admins made any other changes that might have broken this besides:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false -force

    trying to clarify this.

    Like

    • Also, “undetermined” doesn’t mean it’s broken. I see “undetermined” in my lab:

      Vserver: DEMO

      Domain Name Type Preference DC-Name DC-Address Status
      ————— ——– ———- ————— ————— ———
      “” LDAP adequate oneway 10.193.67.236 undetermined
      ntap.local KERBEROS adequate oneway 10.193.67.236 undetermined
      ntap.local MS-LDAP adequate oneway 10.193.67.236 undetermined
      ntap.local MS-DC adequate oneway 10.193.67.236 OK

      Like

  4. Aha ok, so this is just a matter of me getting used to cmode:
    walnacmode01::*> diag secd connections test -node walnacmode01-01 -vserver nawinfs02

    NETLOGON Connection
    Service Configured: true
    Connection test Result: Successful

    LSA Connection
    Service Configured: true
    Connection test Result: Successful

    AD LDAP Connection
    Service Configured: true
    Connection test Result: Successful

    Looks like i am good? Does this mean that discovered servers may only return 1 or 2 servers as ok, and the rest as undetermined?

    Like

  5. Pingback: Why Is the Internet Broken: Greatest Hits | Why Is The Internet Broken?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s