Samba (Windows File Sharing) Vulnerability in Synology DSM and SRM

Security related words graphicSynology has released a security bulletin concerning vulnerabilities in Windows File Sharing (Samba) that affects DSM 6.1, DSM 6.0, DSM 5.2 and SRM 1.1. If your Synology NAS is accessible from the internet, or is on a network where you can’t trust every user who connects to the NAS then you should apply the mitigation. Fortunately the mitigation for the latest DSM version, DSM 6.1, is easy to implement and won’t affect usability unless you have really old software that connects to the Synology NAS.

In short, the mitigation is to disable Samba Version 1. Samba version 2 was released in 1999 and Samba version 3 was released in 2003 so version 1 should have been replaced long ago in any software that uses it. Although for compatibility most vendors have let Samba version 1 remain enabled. It’s time to kill off Samba version 1, especially since this is only one of many vulnerabilities.

The description of the vulnerabilities, from Synology’s security bulletin:

CVE–2017–12150
It was found that samba did not enforce “SMB signing” when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
CVE–2017–12151
A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
CVE–2017–12163
An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.

The mitigation for DSM 6.1 can be done through the DSM Control Panel: Go to Control Panel > File Service > SMB > Advanced Settings, and set Minimum SMB protocol as SMB2.

Mitigation on older DSM versions require more effort as does Synology Router Manager. Synology has also stated that they will release an update to DSM and SRM to address this vulnerability bit there’s no eta. DSM 6.1 Update 5, release the same day as the security bulleting, does not resolve this issue.

For DSM 6.0

  1. Go to Control Panel > Applications > Terminal & SNMP, and tick Enable SSH service.
  2. Log in to DSM via SSH as “admin” and execute the following command: sudo /usr/bin/sed -i ‘/min protocol/d’ /etc/samba/smb.conf && sudo sh -c “echo ‘min protocol=SMB2’ >> /etc/samba/smb.conf” && sudo /sbin/restart smbd

For DSM 5.2

  1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
  2. Log in to DSM via SSH as “root” and execute the following command:
    /bin/sed -i ‘/min protocol/d’ /usr/syno/etc/smb.conf && /bin/sed -i “/[global]/a min protocol=SMB2” /usr/syno/etc/smb.conf && /sbin/restart smbd

For SRM 1.1

  1. Go to Control Panel > Services > System Services and tick Enable SSH service.
  2. Log in to SRM via SSH as “root” and execute the following command:
    /bin/sed -i ‘/min protocol/d’ /usr/syno/etc/smb.conf && /bin/sed -i “/[global]/a min protocol=SMB2” /usr/syno/etc/smb.conf && /sbin/restart smbd

Leave a Reply

Your email address will not be published. Required fields are marked *