-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2012
                 FortiOS by default disables SMBv1 support
                                5 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
Publisher:         Fortiguard
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-17-103

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiOS by default disables SMBv1 support

IR Number : FG-IR-17-103

Date      : Aug 08, 2017

Risk      : 3/5

Impact    : Insecure Protocol Support

Summary

Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has
been deprecated by Microsoft due to multiple weaknesses (remote code execution,
downgrade, man-in-the-middle, collision and pre-image attack).


While it is only used as a client in FortiOS, as a measure of precaution SMBv1
support in FortiOS SSL-VPN and DLP is now disabled by default starting from
6.0.1 [1][2] and 5.6.6 [3] for High-End models (FortiGate 1000 series and
higher models) and Virtual Machine models and can be re-enabled by applying the
following CLI commands (not recommended):


[1] FortiOS 6.2 branch (6.2.0 and above):

conf vpn ssl web portal

edit {portal-name}

set smb-min-version smbv1 (note: default value is "smbv2")

set smb-max-version smbv1 (note: default value is "smbv3")

end


[2] FortiOS 6.0 branch (6.0.1 and above):

conf vpn ssl web portal

edit {portal-name}

set smbv1 enable (note: default value is "disable")

end


[3] FortiOS 5.6 branch (5.6.6 and above):

config vpn ssl web portal

edit {portal-name}

set smb-ntlmv1-auth enable (note: default value is "disable")

next

end

(For FortiOS 5.6.5 and below versions, the smb-ntlmv1-auth CLI command can not
disable SMBv1 protocol support).


SMBv1 support is also disabled by default in the FortiOS FSSO fsso-polling
feature starting from 6.2.0 [4] for High-End models and Virtual Machine models
and can be enabled by applying the following CLI commands:


[4] FortiOS 6.2.0 branch:

config user fsso-polling

set smbv1 {enable|*disable} (default value is "disable")

end


For Entry-Levels and Mid-Range models, SMBv1 remains the only supported SMB
protocol.

Impact

Insecure Protocol Support

Affected Products

FortiOS High-End models and Virtual Machine models: FortiOS 6.0.0, 5.6.5 and
below.


FortiOS Entry-Levels and Mid-Range models: FortiOS all versions.

Solutions

For High-End models and Virtual Machine models, upgrade to FortiOS 6.0.1, 5.6.6
or newer versions.


For Entry-Levels and Mid-Range models, starting from FortiOS 5.6.10, 6.0.6 and
6.2.1, when SMBv1 is used under the SSL VPN web portal, a warning bar will be
shown to the user under login page and later pages, alerting about using a
deprecated and unsafe SMBv1 protocol.


Details of FortiOS model specifications:

https://www.fortinet.com/products/next-generation-firewall/models-specs.html


Revision History:

06-04-2019 New CLI commands and security warning bar introduced
08-08-2017 Initial version

References

  o https://blogs.technet.microsoft.com/josebda/2015/04/21/
    the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
    /

  o https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/
    ms17-010

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPcpdGaOgq3Tt24GAQhanxAAmrNRpfwGni0Gaj6B9zZs/P/pZcWXXT2h
7HBTKc8+BmeZ7dHXeTWbSDbNr6F9QgJq6XB4m21d3SGxfhnbVQrbJzRHHEAvYE9L
qkcFU9Cc5Jncsuqe0N67FkhVpKr0S0ITzdq8NCw9zf2Qio/qB0asryNyGg+pRZE9
JPgWGVx+klX27szXLELIbKpiRk6mG5HNVaAE8vzvGK7rfNst1ucRSaB6grxp7PNF
7/Wxc9WRGDBriRwEPwEYrbouTZY6qVcR1QFsumzXRn5YGVSWz0f0ziKcF8hZAXGu
WrzgEbwPUkcmtboWbRfRTOMY5nVmJsZ3WZKFlGA/TO/fLgvCt9mxqS7XxM7aK4v7
jHJx2gCJzQ9KYBQFZEGNyvQHyfFIraWHbmptwaVF53NpYI1z/DdAHJmy3ym175WR
qL5B0t7S1jySYKDhE29ua3aThOwG7yY39/O4tuZMayt8wlSStFUzu6zrSxLM80o/
bNDnyI+oIfNNuTjScglXNDX1WtDxHQoI1wp/Y770JOX2ES4kTzYqFCuGI7gwJtmt
i3ykzInJDZNdp9lPHjab7tBAJrD98xce8v/svvqS4WHiSeXm3r37ZTvJPqAgWyC3
5R/kgLlzBF0lez5PziAaxzzfiY84IdK0w0poWGn4zr5lotPVZ13OnihYN2YaWAun
eXinlwkeIm4=
=C8Y5
-----END PGP SIGNATURE-----