***Updated June 8, 2020***
Google SMBv1 vulnerability, and you’ll get a ton of hits. There’s a reason for this.
SMB1 is the devil!
But seriously, there are some major security holes in the protocol.
For a good rundown, check out the new NetApp CIFS/SMB TME Chris Hurley’s blog:
http://averageguyx.blogspot.com/2017/03/smb1-is-baaaaaad.html
This is in addition to the limitations of SMB1, such as lack of resiliency for network loss, lack of durable handles and overall performance and chattiness. There are many good reasons why Microsoft has decided to deprecate SMB1 in favor of newer protocols. SMB owner at Microsoft, Ned Pyle (@NerdPyle), gives a plethora of impassioned reasoning in his TechNet blog “Stop using SMB1!”
So, there we are. SMB1 is bad, mmkay?
How does SMB1’s devil status affect NetApp’s ONTAP operating systems?
For the official NetApp statement, see this KB:
https://kb.netapp.com/support/s/article/NTAP-20170515-0001
This question comes up a bit here at NetApp, since security scanners will throw bells, whistles and alarms whenever SMB1 is detected in an environment. What follows is:
- Does SMB1 in ONTAP have the same vulnerabilities?
- Can I disable SMB1 in ONTAP?
- If I can’t disable it, can I block it?
The good news is, the main security vulnerabilities that plague SMB1 in Windows generally don’t affect ONTAP (such as 0-day), because ONTAP isn’t a Windows client. It’s using a proprietary, custom built CIFS/SMB stack (akin to Samba). Thus, the vulnerabilities that impact Windows don’t impact ONTAP.
Note: I can’t take all the credit for the information in this blog. That credit goes to John Lantz (CIFS TME at NetApp), as well as various CIFS/SMB engineering resources here.
Can I disable SMB1 in ONTAP?
While the vulnerabilities don’t necessarily affect ONTAP, the security scanners still are triggering alarms and managers are still wanting the red X’s to go away.
As a result, people want to just turn it off in ONTAP, especially since they aren’t currently using it in their environments (hopefully).
The good news is that ONTAP is in the process of deprecating SMB1. The bad news? It’s still there.
However, in ONTAP 9.2, NetApp introduced a new CIFS option to disable SMB1 in advanced privilege!
cluster::> set advanced cluster::*> cifs options modify -vserver DEMO -smb1-enabled false[-smb1-enabled {true|false}] - Enable SMB1 Protocol (privilege: advanced) This optional parameter specifies whether the CIFS server negotiates the SMB 1.0 version of the CIFS protocol. The default value for this parameter is true.
If you need to disable SMBv1 now in clustered ONTAP, you’d need to be on ONTAP 9.2.
To disable the SMB 1.0 client functionality in ONTAP running 7-Mode you have to use version 8.2.5 and run the newly added functions under “cifs control”
smb1.enable -
to control SMB1 server capability, enabled by default
smb1.client.enable -
to control SMB1 client capability, enabled by default
We also have the ability to control what SMB version is used with domain controllers for authentication. In systems running ONTAP 7-mode, use the following option to enable SMB2.
cifs.smb2.client.enable
In systems running clustered ONTAP, starting in ONTAP 8.3.2P5, you can disable SMB1 connections to the DC, as well as enabling SMB2.
[-smb1-enabled-for-dc-connections {false|true|system-default}] - SMB1 Enabled for DC Connections This parameter specifies whether SMB1 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default. SMB1 Enabled For DC Connections can be one of the following: o false - SMB1 is not enabled. o true - SMB1 is enabled. o system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB1 is enabled. [-smb2-enabled-for-dc-connections {false|true|system-default}] - SMB2 Enabled for DC Connections This parameter specifies whether SMB2 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default. SMB2 Enabled For DC Connections can be one of the following: o false - SMB2 is not enabled. o true - SMB2 is enabled. o system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB2 is not enabled.
Use the following command to do that:
cifs security modify -vserver DEMO -smb1-enabled-for-dc-connections false -smb2-enabled-for-dc-connections true
Remove the client capability to use the SMB 1.0 protocol
You can also determine which clients are using the SMB 1.0 protocol for file access, and then disable SMB 1.0 at the client. This is an important step to ensure that there are no dependencies in your environment for the SMB 1.0 protocol.
Data ONTAP 7-Mode:
Run the following command to determine which clients are using SMB 1.0.
cifs sessions -p smb
Clustered Data ONTAP and ONTAP
To determine from ONTAP which clients are using SMB 1.0, run the following cli command from the advanced privilege level:
cifs session show -protocol-version SMB1
Once you have determined which clients are still using SMB 1.0 you can change that behavior on the Windows client using the information in this Microsoft article.
If I can’t disable it in ONTAP, can I block it?
Technically, you *could* block the SMB1 ports. However, if you block ports that SMB2 also needs (such as 445), you’d be in trouble.
The official recommendation from Microsoft is a combination of disabling SMB1 on clients (you could handle this via Group Policy), as well as blocking ports on *external* facing interfaces. In other words, don’t allow SMB outside of the firewall.
Here’s the official link:
https://technet.microsoft.com/en-us/library/cc766392%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
To disable SMB1 on the client:
https://support.microsoft.com/en-us/kb/2696547
Inside your firewall, you shouldn’t need the following ports, so block away:
- UDP/137 (NetBIOS name service)
- UDP/138 (NetBIOS datagram service)
- TCP/139 (NetBIOS session service)
In some cases, you won’t be able to rid yourself entirely of SMB1. Remember that $30k printer/copier/scanner that you bought 10 years ago that was cool because you could scan directly to a SMB share? Yeah…. that’s probably still using SMB1. Check with your scanner/copier vendor to see if they have any software updates. Otherwise, you may need to disable SMB1 on the copier/scanner, or budget for a new one.
For official NetApp statement on SMB1, check out this TR, starting on page 4:
http://www.netapp.com/us/media/tr-4543.pdf
Also, check out Episode 95 of the Tech ONTAP podcast, where we discuss WannaCry and Petya!
https://m.soundcloud.com/techontap_podcast/episode-95-quarterly-security-update-wannacry-and-petya
Great article. Thank you!
Here’s how to disable SMB 1.0 for all versions of Windows, including Windows 10 and Windows Server 2016:
http://www.sysadmit.com/2017/05/windows-deshabilitar-smb-10.html
LikeLike
Man wanacry 🙂
LikeLike
Hi Justin.
are you sure for the 7-mode options? “cifs.smb2.client.enable” doesnt exist in 8.2.3p3
I have just this options in advanced mode:
cifs.signing.enable on
cifs.smb2.enable on
cifs.smb2.signing.required off
cifs.smb2_1.branch_cache.enable off
LikeLike
What happens when you type:
filer> options cifs.smb2.client.enable
Sometimes options are hidden from view by default unless set manually.
For example, that option exists in a filer running 7.3.2:
filer*> version
NetApp Release 7.3.2: Thu Oct 15 05:59:52 PDT 2009
filer*> options cifs.smb2
cifs.smb2.client.enable off
LikeLike
Ok i understand. I’m in 8.2.3p3 in metrocluster. My exemple is in advanced mode. Maybe différent in 8.2.x?
LikeLike
Metrocluster doesn’t matter here. Also, if the option is in 7.3, it’s definitely in 8.2.x. What did you see when you explicitly typed the option in the CLI like I mentioned in the previous comment?
LikeLike
8.3.2P9 here I dont see this option cifs options modify -vserver vservname -smb1-enabled-for-dc-connections false
Error: invalid argument “-smb1-enabled-for-dc-connections”
LikeLike
Did you try advanced priv? (set advanced)
It’s definitely in 8.3.2P5 and later.
https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=786189
https://kb.netapp.com/support/s/article/ka61A0000008a55QAA/Is-it-possible-to-disable-SMB-1-0-in-ONTAP
LikeLike
Douglas : in cluster mode this option is available: i have set my metrocluster (ontap9) and is possible, maybe use tabulation to see this option.
Justin: in 7-mode my commande is : vfiler Run vfilerxx options cifs
The résult is an extract of cifs smb2 options. I don’t See cifs.smb2.client
LikeLike
Forgot to mention, we are running into issues where the Windows team has cannot disable SMBv1 without cmode having issues (Petya/Wannacry).
On 7 mode we used this article: https://kb.netapp.com/support/s/article/ka31A0000000kpyQAA/how-to-force-smb-over-tcp-when-netbios-is-disabled-on-an-active-directory-domain-controller?language=en_US
That option seemed to fix testdc.
Case No. 2006938438
LikeLike
I found it:
vserver cifs security modify -vserver myvserver -smb1-enabled-for-dc-connections false
It seems to have some effect (I can now do a vserver cifs server create), but I am not sure if its entirely fixed things as:
cifs domain discovered-servers show
returns most of the DCs as undetermined.
I am unclear if the windows admins made any other changes that might have broken this besides:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -force
trying to clarify this.
LikeLike
What does “diag secd connections test” give you? (diag priv)
LikeLike
Also, “undetermined” doesn’t mean it’s broken. I see “undetermined” in my lab:
Vserver: DEMO
Domain Name Type Preference DC-Name DC-Address Status
————— ——– ———- ————— ————— ———
“” LDAP adequate oneway 10.193.67.236 undetermined
ntap.local KERBEROS adequate oneway 10.193.67.236 undetermined
ntap.local MS-LDAP adequate oneway 10.193.67.236 undetermined
ntap.local MS-DC adequate oneway 10.193.67.236 OK
LikeLike
Aha ok, so this is just a matter of me getting used to cmode:
walnacmode01::*> diag secd connections test -node walnacmode01-01 -vserver nawinfs02
NETLOGON Connection
Service Configured: true
Connection test Result: Successful
LSA Connection
Service Configured: true
Connection test Result: Successful
AD LDAP Connection
Service Configured: true
Connection test Result: Successful
Looks like i am good? Does this mean that discovered servers may only return 1 or 2 servers as ok, and the rest as undetermined?
LikeLike
Yep. https://kb.netapp.com/support/s/article/ka11A0000001F50QAE/svm-active-directory-discovered-servers-show-command-reports-status-as-undetermined
LikeLike
Pingback: Why Is the Internet Broken: Greatest Hits | Why Is The Internet Broken?
Ontap 9.1P8 now also supports disabling SMB1.
LikeLike
Hello. Are you aware of a bad limitation of ONTAP 7-Mode SMBv2 implementation (even with 8.2.5) related to “FileAllInformation” info class in MS-SMB2 spec ?
When a linux Samba client is making such request, ONTAP answer is “NOT_SUPPORTED”.
More information on:
– https://bugzilla.samba.org/show_bug.cgi?id=11781#c3 (other comments are also interesting)
– https://www.novell.com/support/kb/doc.php?id=7017410
As a result, all linux samba clients are stuck to SMBv1… This are really bad news. 😦
FYI, the test is easy to reproduce, and wireshark is clearly hilighting that “FILE_ALL_INFORMATION” request is rejected by ONTAP.
Any idea to make progress ?
LikeLike
Not aware of it, no. But given the fact that cDOT is where all the development investment is, I doubt this gets addressed in 7-Mode.
LikeLike
Pingback: Mounting ONTAP CIFS/SMB shares with Linux – Guidelines and tips | Why Is The Internet Broken?