Years late to the SMB1-killing party, Samba finally dumps the unsafe file-sharing protocol version by default

Although you can still use it if you like the thrill of danger


Samba says its next release will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. It can be reenabled for those truly desperate to use the godforsaken deprecated protocol version.

The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol.

"This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default)," the 4.11 release notes read.

"It also means client tools like smbclient and others, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default)."

Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default.

The move by Samba to drop SMB1 can be seen as long overdue, given that Microsoft has been moving to get rid of the file-server protocol version from its operating systems for several years now, even before it was revealed to be one of the NSA's favorite weak points to exploit.

windows10

Latest Windows 10 Insider build pulls the trigger on crappy SMB1

READ MORE

Since the Windows 10 1709 build back in 2017, both the desktop and server versions of Windows dropped support for SMB1, and as far back as 2016 Microsoft was urging admins to drop the protocol version altogether.

"The original SMB1 protocol is nearly 30 years old , and like much of the software made in the 80’s, it was designed for a world that no longer exists," Microsoft's Ned Pyle said at the time.

"A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed through modern eyes."

While the Samba team notes Microsoft's efforts to kill off SMB1, including the loss of support in Windows, the developers also note that there may still be limited cases where the protocol version is necessary, and admins who still need SMB1 are encouraged to send in their feedback.

"It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2, and LANMAN1 for client and server, as well as CORE and COREPLUS on the client," the notes point out.

"Note that most command-line tools e.g. smbclient, smbcacls and others also support the --option argument to overwrite smb.conf options,e.g. --option='client min protocol=NT1' might be useful." ®


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022