Microsoft Windows SMB Server Vulnerability: MS17-010

Remote code execution vulnerabilities exist in the way Server Message Block version 1 (SMBv1) handles certain requests. Follow these steps to manually disable the SMBv1 protocol.

Windows server and client:

Step-by-step instructions are available from Microsoft at: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows

Linux server and client:

CLIENT INSTRUCTIONS

Forcing clients to stop using SMBv1 requires one global modification and one additional modification per service.  The global change should be performed in /etc/samba/smb.conf; add the following line to the [global] section:

client min protocol = SMB2

This forces your client to use SMBv2 or higher, but an individual program’s connection string might still cause issues; the default behavior for the smbclient command is usually NT1 (aka CIFS/SMBv1).  You’ll need to modify the connection string that any client applications use by adding the following flag to the smbclient command:

--max-protocol SMB2

SERVER INSTRUCTIONS

Forcing the server to stop supporting SMBv1 requires adding the following directive to the [global] section of /etc/samba/smb.conf:

server min protocol = SMB2

(https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/). 

OS X:

While OS X and macOS use the SMB protocol, the default for these systems is SMBv2 in versions 10.9 and 10.10 and SMBv3 in versions after that. Unfortunately, since Apple uses its own implementation of the SMB protocol (as opposed to Samba), there doesn’t appear to be a clear way to completely disable the use of SMBv1 on OS X and macOS clients.  Since the final phase of the SMBv1 removal plan involves disabling SMBv1 traffic going through the firewall, the risk presented by OS X and macOS clients up to that time is considered minimal.

Last updated: August 02, 2017