PSIRT Advisory

FortiOS by default disables SMBv1 support

Summary

Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due to multiple weaknesses (remote code execution, downgrade, man-in-the-middle, collision and pre-image attack).


While it is only used as a client in FortiOS, as a measure of precaution SMBv1 support in FortiOS SSL-VPN and DLP is now disabled by default starting from 6.0.1 [1][2] and 5.6.6 [3] for High-End models (FortiGate 1000 series and higher models) and Virtual Machine models and can be re-enabled by applying the following CLI commands (not recommended):


[1] FortiOS 6.2 branch (6.2.0 and above):

conf vpn ssl web portal

edit {portal-name}

set smb-min-version smbv1 (note: default value is "smbv2")

set smb-max-version smbv1 (note: default value is "smbv3")

end


[2] FortiOS 6.0 branch (6.0.1 and above):

conf vpn ssl web portal

edit {portal-name}

set smbv1 enable (note: default value is “disable”)

end


[3] FortiOS 5.6 branch (5.6.6 and above):

config vpn ssl web portal

edit {portal-name}

set smb-ntlmv1-auth enable (note: default value is “disable”)

next

end

(For FortiOS 5.6.5 and below versions, the smb-ntlmv1-auth CLI command can not disable SMBv1 protocol support).


SMBv1 support  is also disabled by default in the FortiOS FSSO fsso-polling feature starting from 6.2.0 [4] for High-End models and Virtual Machine models and can be enabled by applying the following CLI commands:


[4] FortiOS 6.2.0 branch:

config user fsso-polling

set smbv1 {enable|*disable} (default value is "disable")

end


For Entry-Levels and Mid-Range models, SMBv1 remains the only supported SMB protocol.

Impact

Insecure Protocol Support

Affected Products

FortiOS High-End models and Virtual Machine models: FortiOS 6.0.0, 5.6.5 and below.


FortiOS Entry-Levels and Mid-Range models: FortiOS all versions.

Solutions

For High-End models and Virtual Machine models, upgrade to FortiOS 6.0.1, 5.6.6 or newer versions.


For Entry-Levels and Mid-Range models, starting from FortiOS 5.6.11, 6.0.7 and 6.2.1, when SMBv1 is used under the SSL VPN web portal, a warning bar will be shown to the user under login page and later pages, alerting about using a deprecated and unsafe SMBv1 protocol.


Details of FortiOS model specifications: 

https://www.fortinet.com/products/next-generation-firewall/models-specs.html


Revision History:

08-22-2019 Update warning bar introduced branch versions.
06-04-2019 New CLI commands and security warning bar introduced
08-08-2017 Initial version