1 SMBv1 Oplocks override workaround2 Why SMBv1 isn’t safe
The most recent Petya ransomware attack (aka NotPetya or Nyetna) managed to exploit said SMB vulnerabilities, bringing down airports, banks, and other institutions across Europe. While it was first believed the attack would be bigger than the recent WannaCry wave, it was more limited. Microsoft has deprecated SMBv1 since 2014 and will disable it in the next version of Windows 10. However, with companies such as Google, IBM, Cisco, and more, still requiring support for SMBv1, Redmond has decided to unveil software makers who are still using the old file sharing protocol. In a blog post, Ned Pyle, a Principal Program Manager in the Microsoft Windows Server High Availability and Storage group, lists the vendors. Pyle also states that this list is not complete and users should check back often for updates. Microsoft’s list includes among others:
“Cisco – Web Security Appliance/WSAv – https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir & https://supportforums.cisco.com/discussion/13295496/wsav-supports-smbv1-only Cisco – Wide Area Application Services/WAAS 5.0 & older – http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/release/notes/ws501xrn.html IBM – NetServer V7R2 or below – http://www-01.ibm.com/support/docview.wss?uid=nas8N1011878 IBM – QRadar Vulnerability Manager 7.2.x or below (7.3 has been updated) – http://www-01.ibm.com/support/docview.wss?uid=swg22004178 VMware – Vcenter VMware vCenter Server Appliance, VMware vRealize Automation Identity Appliance – https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2134063&sliceId=1&docTypeID=DT_KB_1_1&dialogID=479220377&stateId=0 (note: steps to configure SMB2 for VCenter, at least on latest versions, until VMware updates their KB – https://virtualizationnation.com/2017/04/17/enabling-vcenter-server-appliance-vcsa-to-use-smb2/) VMware – Older than ESXI 6.0 – https://communities.vmware.com/message/2663902#2663902 & https://communities.vmware.com/message/2668266#2668266”
See the latest version of the list here.
SMBv1 Oplocks override workaround
In case your vendors require you to disable SMBv2 in order to force SMBv1, they often require disabling oplocks as well. Microsoft doesn’t recommend that and has offered an Oplocks override workaround which only works in Windows 10 RS3 and Windows Server 2016 RS3. Ned Pyle posted the workaround on his Twitter account almost one month ago. What admins should do is enable the option “LeasingMode” in SMB v3 which allows them to stop leases and oplocks, like SMBv1.
/1 — Ned Pyle (@NerdPyle) June 19, 2017
Why SMBv1 isn’t safe
This is not the first time Microsoft warns software vendors and users to stop using SMBv1. Back in September 2016, Ned Pyle explained in a blog post why vendors and customers should stop using the legacy file sharing protocol. In the blog post, Pyle said that SMBv1 was designed for an era without ransomware and other malicious attacks. He compared SMBv1 to later SMB protocol versions such as SMB 3.1.1+, SMB 3.0, 3.02 and others, which offer key protections. Here is a list of what the newer versions of SMB offer that SMBv1 doesn’t:
“Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks. Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks. Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing! Insecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks. Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.”
To disable SMB v1 in Windows 10, navigate to Windows Features by searching it in the Start Menu and uncheck the respective box.