Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Security Vulnerability: SMB is not encrypted by default

Description

All SMB connections are not encrypted and not server signed.
Both should be considered a big security vulnerability and get a CVE.
Also there is no UI option to enable it. Signing is not working.

Host ID: 3aa61a159231ad97b13670213953fb013049aca013ade3a8e0e07e82e6d412e1

Session ID: c8b7771d-4d07-6a58-a38c-22ddeab7f28f

Problem/Justification

None

Impact

None

Activity

Show:

Bug Clerk June 27, 2024 at 8:29 PM

This issue has now been closed. Comments made after this point may not be viewed by the TrueNAS Teams. Please open a new issue if you have found a problem or need to re-engage with the TrueNAS Engineering Teams.

Stefan Greiner June 26, 2024 at 9:57 PM

thank you for your work and also for the tips regarding the GPOs. I am looking forward to the v24.10.

Andrew Walker June 26, 2024 at 6:34 PM

NOTE: if you are concerned about having Windows SMB clients always use signing in your environment, then you should make a GPO change client side to always sign SMB2+ traffic. This defaults to off “Digitally sign communications (always)”. The similarly named (and default-enabled) parameter “Digitally sign communication (if server agrees)” is SMB 1.

Andrew Walker June 25, 2024 at 7:17 PM

Added tests to explicitly validate that SMB clients can negotiate different encryption levels for shares (current behavior). To come will be PR to allow users to alternatively require encrypted sessions. This is a disruptive change and so will be non-default and targeted for 24.10.

Note: this is not a security vulnerability. This is default upstream samba behavior for SMB shares and there is no technical limitation preventing an SMB client from negotiating an encrypted session if it is required. Although it is not particularly easy to change the default samba behavior regarding in TrueNAS in 24.04, it is possible if an environment requires it via API and CLI methods.

Stefan Greiner June 25, 2024 at 1:18 AM
Edited

  • Freshly installed TrueNas Scale 24.04.1.1

  • created a user for SMB

  • created SMB Share with the the “SMB” Dataset Preset

  • mounted share on Windows 11 as network drive

PowerShell as Admin on Windows to check security:

Get-SmbConnection | Select-Object -Property SmbInstance,Credential,UserName,ServerName,ShareName,Dialect,Encrypted,Signed,Cim*
SmbInstance : Default Credential : PC\user UserName : PC\user ServerName : 192.168.1.5 ShareName : test Dialect : 3.1.1 Encrypted : False Signed : False CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

No encryption by default? Can I enable it in the UI? No

So I went into the command line of TrueNas, as there are no aux params available anymore in the UI and did this:

service smb update smb_options="server smb encrypt = required\nserver signing = mandatory"

After that I checked the PowerShell again:

SmbInstance : Default Credential : PC\user UserName : PC\user ServerName : 192.168.1.5 ShareName : test Dialect : 3.1.1 Encrypted : True Signed : False CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Enryption works now. Users should not need to do that special settings, there should be an UI option which defaults to “encryption enabled” in my opinion.

Also I noticed that setting aux params on per share base is completly broken right now: You cannot enter more than one line, because the parser breaks (abcd are just an example)

sharing smb update id=1 auxsmbconf="a = b\nc = d"


→ server smb encrypt = required

→ server signing = mandatory

Server signing should be mandatory for the user who use the old CIFS by enabling “Enable SMB1 support” in the SMB service settings.
I am by far no expert in all of this, especially as anonymous guest access seems to play a role with these settings.

Edit: smbstatus info on server side without special aux params: no encryption and no signing is used

Samba version 4.19.6 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 352622 user user 192.168.1.114 (ipv4:192.168.1.114:58349) SMB3_11 partial(AES-128-GCM) partial(AES-128-GMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- test 352622 192.168.1.114 Tue Jun 25 03:23:05 2024 CEST - -

After setting the smb_options via CLI: encryption and signing enabled and actively used:

Samba version 4.19.6 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 370466 user user 192.168.1.114 (ipv4:192.168.1.114:58413) SMB3_11 AES-128-GCM AES-128-GMAC Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- test 370466 192.168.1.114 Tue Jun 25 03:25:37 2024 CEST AES-128-GCM AES-128-GMAC

Thank you for considering at least the UI option and maybe change the default!

Behaves as Intended

Details

Assignee

Reporter

Labels

Department

Services

Components

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created June 23, 2024 at 10:36 PM
Updated June 27, 2024 at 8:29 PM
Resolved June 27, 2024 at 8:29 PM