What happens when SMB1 is removed

SMB1 is done

Beware SMB1, the end draws near. At Microsoft’s June 2017 Interop event, Microsoft Principle Program Manager Ned Pyle delivered the eulogy for the outdated – and extremely vulnerable – version of the Server Messaging Block (SMB) protocol.

One simple, yet powerful slide from Mr. Pyle laid out the grave future for SMB1:

SMB1 is full of vulnerabilities

Since SMB’s inception in the 1990s, the protocol has seen three series of versions: SMB1, SMB2, and the present-day SMB3. SMB1, the first version of the protocol, was deemed slow and unsafe years ago. Up until 2017, nearly 50 vulnerabilities have been found in SMB1, resulting in 21 patches since 2016 alone.

One such vulnerability was discovered right here at Tuxera and documented in Microsoft Security Bulletin MS16-114. I spoke with Oleg Kravtsov, Lead Developer for the Tuxera SMB Server Implementation (now called Fusion File Share by Tuxera as of 2019), to tell us a bit more about the details of this vulnerability. Oleg was one of the engineers responsible for uncovering the issue found in MS16-114, which was cause enough for Microsoft to release a security update to fix it.

SMB torture testing identifies issues

Oleg explains, “When we identified the vulnerability, we were performing an SMB torture test. Our team has extended the traditional torture test suite to include over 400 of our own tests, bringing the total number of tests to nearly 1,300. The torture test was designed to show how Fusion File Share by Tuxera – and Windows SMB server – would behave under a pre-defined sequence of requests on a shared file. We were purposefully trying to make both servers perform strangely. What it means in practice is we’re not only testing Tuxera’s own implementation, but also the Windows specification itself. As a result, if we see some unusual behavior in Windows, we investigate the issue and send our findings to Microsoft for review.”

The MS16-114 vulnerability discovered by Tuxera requires an authenticated user (logged in with a password, or as guest when the guest user is enabled), to send a predefined sequence of packets to the server. Oleg continues, “The vulnerability was only revealed through one of our own tests. The original SMB torture test suite would not have otherwise revealed this issue. What we found when using our combination of requests made to a file was that the Windows SMB server replied a null response. That meant something didn’t go right. That was a surprise for us. So, we decided to test what would happen if we tried to play with the file in question – just like a hacker might. When we sent another trivial request to that file, we managed to completely crash Windows.”

That meant that theoretically, if an attacker were to get the credentials to the system and log in to Windows SMB1 Server, they could send the sequence of packets we identified and entirely crash people’s Windows systems. Once the Tuxera SMB team discovered this potentially serious vulnerability, they reported it right away to Microsoft. The team also demonstrated the crash at a Microsoft 2016 Interop event.

SMB3 server is secure – but only if SMB1 is disabled

The current version, SMB3, includes modern-day security features such as SMB Encryption and improved digital message signing that protect networks from cryptoworms and other ransomware. But guess what? There is an alarming amount of old and new routers, network attached storages (NAS), and other network devices that still rely on the unsecure, vulnerable SMB1 version!

This is a grave concern because according to Mr. Pyle, whenever the old SMB1 version is enabled, all security features are rendered meaningless. This is because the attacker can choose to downgrade the protocol used to SMB1. Let that sink in for a moment: if your device manufacturer enables SMB1, it completely negates all the advanced security features provided by SMB3! If you want to check if your devices might be vulnerable, Mr. Pyle keeps a tally on SMB1-dependent devices.

Why would device manufacturers do this? We’ve covered some of the reasons in a previous blog post, so you can get more details there. But all network device manufacturers should be preparing for the inevitable day Microsoft pulls the plug on SMB1 for good. Officially, SMB1 is in a deprecated state, though not fully removed. According to Jose Barreto, Principal Program Manager at Microsoft, “the fact that the feature is deprecated is a warning that it could go away at any time.

What happens when SMB1 disappears for good?

So what happens to users when Microsoft decides to remove SMB1 from Windows SMB clients? Essentially, all home NAS and routers with NAS functionality dependent on SMB server implementations of SMB1 will no longer be interoperable with Windows. All shares in the network mounted using those SMB1-dependent implementations will disappear from the network as far as Windows clients are concerned. Windows users will no longer be able to find nor access their shared drives in their local network.

It’s time for OEMs and ODMs of networking products to prepare for the end of SMB1. We’ll make it easy for you. Get in touch to find out more about our easy-to-adapt, secure alternative to the SMB1-dependent Samba versions often used throughout the industry – Fusion File Share by Tuxera.

Learn more about Fusion File Share by Tuxera

Tuxera SMB is secure against SMB1 vulnerabilities like WannaCry

WannaCry was terrible, but it never had to happen – here’s why

In May 2017, the WannaCry ransomware cryptoworm ravaged its way through exposed systems in over 60 countries. The attack started on May 12 and spread rampantly over the next four days, exploiting a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. WannaCry sadly lived true to its name. Hospitals, businesses, metro stations, universities, operators, and other organizations were brought to their knees without access to their important shared documents and files.

The situation was so critical that Microsoft released an emergency security update for some versions of Windows that no longer receive mainstream support. Luckily, due to the swift action of Microsoft and cybersecurity experts around the world, the spread of WannaCry trickled off by May 16.

WannaCry wasn’t inevitable – it was preventable

The interesting thing is, the attack was entirely preventable. Firstly, Microsoft released a security update just a few months before the attack to address a susceptibility WannaCry exploited. Those who enabled this update were protected. Secondly, WannaCry – and a similar attack in June 2017, Petya – targeted a vulnerability found in a legacy version of the protocol, SMB1. And according to Microsoft, SMB1 is not safe. In fact, Microsoft’s own Ned Pyle wrote an entire blog post back in September 2016 begging people to stop using it!

Mr. Pyle wrote his blog post in connection with Microsoft Security Bulletin MS16-114, released September 2016. The bulletin detailed a vulnerability which "could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMB1) Server…The potential impact is denial of service.”

This vulnerability was discovered and reported to Microsoft by Tuxera software engineers, Oleg Kravtsov and Alexander Ovchinnikov. They stumbled upon the possible exploit while developing and testing our proprietary SMB server implementation, Tuxera SMB (now called Fusion File Share by Tuxera as of 2019). The vulnerability was, in fact, so critical that Microsoft released a security update to fix it – the first of such to SMB1 since 2011 – while simultaneously imploring people to disable SMB1 altogether. Since the discovery by our engineers, 21 patches have been made to SMB1, as compared to 12 in the years preceding our discovery.

Although the vulnerability we uncovered was not directly related to the WannaCry attack (that was caused by the EternalBlue exploit), it goes to show that Microsoft already declared that SMB1 is not secure. WannaCry would not have become such a large-scale problem had people simply stopped using SMB1 in favor of the latest, most secure version, SMB3. This begs the question, why is SMB1 still in use?

Skirting the legal ambiguity of GPLv3

A big reason is that outdated versions of Samba – the open-source SMB server implementation – are used inside embedded devices, such as routers. These older versions of Samba only support SMB1. Interestingly enough, there are newer Samba versions that support SMB3, the most secure version of the protocol. But using these latest Samba versions has a catch – they are licensed under GNU General Public License Version 3 (GPLv3).

The “anti-tivoization” and patent license clauses of GPLv3 are often major concerns for hardware vendors. They want to avoid exposing their products and intellectual property to the ambiguities surrounding the legal interpretation of the GPLv3 license. Thus, hardware manufacturers resort to choosing older versions of Samba, which are not licensed under GPLv3. In turn, these versions only support SMB1 – which leads us to the crux of the issue.

These outdated Samba versions not only lack critical security features – they also come with an additional risk. If Microsoft were to completely disable SMB1 in Windows, most common embedded devices such as printers and home network-attached storages (NAS) will just disappear from your network! Embedded device manufacturers are aware of this problem, but some stick with SMB1 rather than upgrade to newer versions of Samba (due to the GPLv3 license).

What should they choose? Stay on the sinking SMB1 ship or surrender to GPLv3 license terms? This is a question our customers are often faced with. And it’s the reason we offer them an easy to adapt, secure alternative to Samba with no legal ambiguity – Fusion File Share by Tuxera.

Router, NAS, and media gateway OEM and ODMs – we'll help you get rid of your SMB1 dependencies.

Try Fusion File Share byTuxera