Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2012 FortiOS by default disables SMBv1 support 5 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: Fortiguard Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://fortiguard.com/psirt/FG-IR-17-103 - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS by default disables SMBv1 support IR Number : FG-IR-17-103 Date : Aug 08, 2017 Risk : 3/5 Impact : Insecure Protocol Support Summary Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due to multiple weaknesses (remote code execution, downgrade, man-in-the-middle, collision and pre-image attack). While it is only used as a client in FortiOS, as a measure of precaution SMBv1 support in FortiOS SSL-VPN and DLP is now disabled by default starting from 6.0.1 [1][2] and 5.6.6 [3] for High-End models (FortiGate 1000 series and higher models) and Virtual Machine models and can be re-enabled by applying the following CLI commands (not recommended): [1] FortiOS 6.2 branch (6.2.0 and above): conf vpn ssl web portal edit {portal-name} set smb-min-version smbv1 (note: default value is "smbv2") set smb-max-version smbv1 (note: default value is "smbv3") end [2] FortiOS 6.0 branch (6.0.1 and above): conf vpn ssl web portal edit {portal-name} set smbv1 enable (note: default value is "disable") end [3] FortiOS 5.6 branch (5.6.6 and above): config vpn ssl web portal edit {portal-name} set smb-ntlmv1-auth enable (note: default value is "disable") next end (For FortiOS 5.6.5 and below versions, the smb-ntlmv1-auth CLI command can not disable SMBv1 protocol support). SMBv1 support is also disabled by default in the FortiOS FSSO fsso-polling feature starting from 6.2.0 [4] for High-End models and Virtual Machine models and can be enabled by applying the following CLI commands: [4] FortiOS 6.2.0 branch: config user fsso-polling set smbv1 {enable|*disable} (default value is "disable") end For Entry-Levels and Mid-Range models, SMBv1 remains the only supported SMB protocol. Impact Insecure Protocol Support Affected Products FortiOS High-End models and Virtual Machine models: FortiOS 6.0.0, 5.6.5 and below. FortiOS Entry-Levels and Mid-Range models: FortiOS all versions. Solutions For High-End models and Virtual Machine models, upgrade to FortiOS 6.0.1, 5.6.6 or newer versions. For Entry-Levels and Mid-Range models, starting from FortiOS 5.6.10, 6.0.6 and 6.2.1, when SMBv1 is used under the SSL VPN web portal, a warning bar will be shown to the user under login page and later pages, alerting about using a deprecated and unsafe SMBv1 protocol. Details of FortiOS model specifications: https://www.fortinet.com/products/next-generation-firewall/models-specs.html Revision History: 06-04-2019 New CLI commands and security warning bar introduced 08-08-2017 Initial version References o https://blogs.technet.microsoft.com/josebda/2015/04/21/ the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect / o https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ ms17-010 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXPcpdGaOgq3Tt24GAQhanxAAmrNRpfwGni0Gaj6B9zZs/P/pZcWXXT2h 7HBTKc8+BmeZ7dHXeTWbSDbNr6F9QgJq6XB4m21d3SGxfhnbVQrbJzRHHEAvYE9L qkcFU9Cc5Jncsuqe0N67FkhVpKr0S0ITzdq8NCw9zf2Qio/qB0asryNyGg+pRZE9 JPgWGVx+klX27szXLELIbKpiRk6mG5HNVaAE8vzvGK7rfNst1ucRSaB6grxp7PNF 7/Wxc9WRGDBriRwEPwEYrbouTZY6qVcR1QFsumzXRn5YGVSWz0f0ziKcF8hZAXGu WrzgEbwPUkcmtboWbRfRTOMY5nVmJsZ3WZKFlGA/TO/fLgvCt9mxqS7XxM7aK4v7 jHJx2gCJzQ9KYBQFZEGNyvQHyfFIraWHbmptwaVF53NpYI1z/DdAHJmy3ym175WR qL5B0t7S1jySYKDhE29ua3aThOwG7yY39/O4tuZMayt8wlSStFUzu6zrSxLM80o/ bNDnyI+oIfNNuTjScglXNDX1WtDxHQoI1wp/Y770JOX2ES4kTzYqFCuGI7gwJtmt i3ykzInJDZNdp9lPHjab7tBAJrD98xce8v/svvqS4WHiSeXm3r37ZTvJPqAgWyC3 5R/kgLlzBF0lez5PziAaxzzfiY84IdK0w0poWGn4zr5lotPVZ13OnihYN2YaWAun eXinlwkeIm4= =C8Y5 -----END PGP SIGNATURE-----