Disable SMB1 support in Samba Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-103 Final 1 1 2019-06-04T00:00:00 Current version 2019-06-04T00:00:00 2019-06-04T00:00:00 Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due to multiple weaknesses (remote code execution, downgrade, man-in-the-middle, collision and pre-image attack).While it is only used as a client in FortiOS, as a measure of precaution SMBv1 support in FortiOS SSL-VPN and DLP is now disabled by default starting from 6.0.1 [1][2] and 5.6.6 [3] for High-End models (FortiGate 1000 series and higher models) and Virtual Machine models and can be re-enabled by applying the following CLI commands (not recommended):[1] FortiOS 6.2 branch (6.2.0 and above):'''conf vpn ssl web portaledit {portal-name} set smb-min-version smbv1 # (note: default value is "smbv2") set smb-max-version smbv1 # (note: default value is "smbv3") nextend '''[2] FortiOS 6.0 branch (6.0.1 and above):'''conf vpn ssl web portaledit {portal-name} set smbv1 enable # (note: default value is “disable”)nextend '''[3] FortiOS 5.6 branch (5.6.6 and above):'''config vpn ssl web portaledit {portal-name} set smb-ntlmv1-auth enable # (note: default value is “disable”)nextend '''(For FortiOS 5.6.5 and below versions, the smb-ntlmv1-auth CLI command can not disable SMBv1 protocol support).SMBv1 support is also disabled by default in the FortiOS FSSO fsso-polling feature starting from 6.2.0 [4] for High-End models and Virtual Machine models and can be enabled by applying the following CLI commands:[4] FortiOS 6.2.0 branch:'''config user fsso-pollingset smbv1 {enable|*disable} # (default value is "disable")end '''For Entry-Levels and Mid-Range models, SMBv1 remains the only supported SMB protocol. Execute unauthorized code or commands FortiOS High-End models and Virtual Machine models: FortiOS 6.0.0, 5.6.5 and below.FortiOS Entry-Levels and Mid-Range models: FortiOS all versions.At leastFortiMail version 5.3.13At leastFortiAuthenticator 5.0 all versions FortiOS:For High-End models and Virtual Machine models, upgrade to FortiOS 6.0.1, 5.6.6 or newer versions.For Entry-Levels and Mid-Range models, starting from FortiOS 5.6.11, 6.0.7 and 6.2.1, when SMBv1 is used under the SSL VPN web portal, a warning bar will be shown to the user under login page and later pages, alerting about using a deprecated and unsafe SMBv1 protocol.Details of FortiOS model specifications: https://www.fortinet.com/products/next-generation-firewall/models-specs.htmlFortiMail:Upgrade to FortiMal 5.4.0 or newer versionsFortiAuthenticator:Upgrade to FortiAuthenticator 5.1.0 or newer versionsRevision History:08-08-2017 Initial version06-04-2019 New CLI commands and security warning bar introduced08-22-2019 Update warning bar introduced branch versions.04-20-2023 Reformatted, added missing platforms in SA body to match info table https://fortiguard.fortinet.com/psirt/FG-IR-17-103 Disable SMB1 support in Samba https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/ https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/ https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-103 Disable SMB1 support in Samba Reference> https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/ https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/ https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010