Answered

Support for SMB v2 or v3


With all the recent reports and issues with the WannaCry ransomware I wanted to restrict use of SMB v1 on my home network. My NAS blocks this to the outside world but I wanted to secure things internally as well. I can configure the NAS to not support SMB v1 but this then prevents the Sonos controller app from seeing the share. When will Sonos support later versions of SMB? I had seen another thread on this somewhere and it sounded like it wasn't going anywhere. Is it possible to get an update on this please.
icon

Best answer by Phil.Coleman 15 May 2017, 20:48

The problem is that as long as companies produce products that rely on old out of date software other companies have to continue to support them to remain relevant in the market, it's a vicious cycle.

View original

37 replies

Userlevel 5
Badge +4
Here's the link to the previous topic regarding SMBv1. I fully agree that at this point it should be removed, but NAS devices still ship with it enabled, and most don't provide any way to turn it off either. I would imagine if most NAS manufacturers started removing support for SMBv1, you'd probably find Sonos moves pretty quickly to update their devices.

https://en.community.sonos.com/troubleshooting-228999/sonos-smb-implementation-error-900-when-adding-music-library-6765736
Ya with you guys. I shut off SMBv1 on everything internally including my NAS which broke my SONOS music share. I hope it gets resolved soon. I'm not about to enable SMBv1.
The problem is that as long as companies produce products that rely on old out of date software other companies have to continue to support them to remain relevant in the market, it's a vicious cycle.
Userlevel 1
Badge +1
I put my insecure stuff on a dedicated LAN segment that is blocked from communicating with the rest of my stuff on other, more trusted segments. It isn't a solution but at least it limits any problems as much as possible.
Just disabled SMB2 in our network and moved the library to a Linux box instead.
A shame that SONOS still doesn't support SMB2. Last time I looked in the calendar it was 2017.
Userlevel 5
Badge +3
As far as I'm aware there have been very few if no reports of domestic infection from the WannaCry ransomware.

So, I don't want to cry (wolf).
Userlevel 5
Badge +4
Reality is, as long as you've kept your computers patched, the fix was released two months ago for operating systems still supported by Microsoft. But that still doesn't mean that SMBv1 should be used when there are better, more secure options available in the form of newer versions of SMB.

Keep in mind that US-CERT is recommending not using SMBv1 as part of its SMB Best Practices... so I think it's pretty important to move on to a newer, more secure version.
Badge
Stanley_4 wrote:

I put my insecure stuff on a dedicated LAN segment that is blocked from communicating with the rest of my stuff on other, more trusted segments. It isn't a solution but at least it limits any problems as much as possible.


I did something similar by putting my Sonos content on a disposable hard drive attached to an Apple Airport. For the meagre NAS bandwidth requirements of a Sonos, this solution is adequate. That way, I can keep the minimum connection requirements for the main server at SMB3. As the music share on the main server is updated, I simply clone the Airport drive to match.

I don't expect a major shift in the industry until ransomware broadly infects SOHO sites. Why Sonos is putting off the inevitable is a mystery to me, however. Updating the ZP network stack with more recent versions of readily-available SMB libraries should be trivial compared to the work that went into developing their innovative mesh networking strategy.
Badge
MikeV wrote:

Here's the link to the previous topic regarding SMBv1. I fully agree that at this point it should be removed, but NAS devices still ship with it enabled, and most don't provide any way to turn it off either.



AFAIK, current versions of Windows server as well as FreeNAS ship with SMB1 and NTLM v1 authentication turned off by default. They have to be manually enabled.
Constatin, you have no idea whether Sonos is "putting off" anything. Sonos is very tight lipped as to what is being worked on, and anyone who does know is bound by an NDA. For all you or I know, the very next Sonos release could contain support for other versions of SMB, so you definitively stating that Sonos is putting it off is pure speculation and negativity.
Badge
Sonos has made zero commitment in these forums regarding this feature request, one that is allegedly 3 years old.

I have no way of verifying whether it's been three years or not but Microsoft has been pretty vocal about dropping SMB1 and NTLM v1 in particular for several years now. Presumably, the folk at Sonos who do the network stack development are aware said stance and the potential consequences of not offering SMB2 support.

Requiring customers to dumb down the security of their servers to use a product doesn't seem particularly helpful. No server I'm aware of allows customers to selectively enable/disable SMB1 on a per share basis, but I'm happy to be wrong. At least for FreeNAS, it seems to be an all or nothing thing. Forums for Synoloy, QNAP, etc. also document how to revert a server to SMB1 after server software upgrades disable SMB1 support by default.

I'm not advocating for Sonos to abandon SMB1 and only use SMB2+, as that might impact their users negatively. But giving users the option of using SMB2+ would be great. There was a time when feature requests could be reviewed/logged at ask.sonos.com. Any idea what happened to that since you seem to know so much about the company and its policies?
Constantin wrote:

There was a time when feature requests could be reviewed/logged at ask.sonos.com. Any idea what happened to that


I believe it was discontinued because it gave Sonos information overload.
Sonos makes zero commitment to 99% of the requests on this forum, then they will show up on a release, sometimes years later. Once again, you have no information on what Sonos is or is not working on, and therefore shouldn't be making definitive statements.
Badge
Let's recap: 1) there is a known security risk that the original developer alerted the industry to years ago. 2) Users have allegedly asked Sonos about upgrading the SMB stack for several years now 3) Sonos has made no commitment to fix a known security risk for which there multiple known solutions. You might find this behavior acceptable in your relentless defense of the company, I'm simply puzzled by it.

To me, requiring customers to dumb down their server security carries enormous reputation risk if something does go wrong and many customers are affected by an exploit. I recognize that users are responsible for their own server settings and have to live with whatever security decisions they made but it would be great if Sonos made a commitment to be part of the solution rather than a potential enabler for the problems associated with SMB1 security.
You forgot to add:

1b) Sonos makes no true commitment on 99% of the requests here, and AndyB from Sonos specifically stated in another thread that this issue has not gone unheard and options are being explored at this time:

Hi th3bigguy - I don't have an update to provide at this time on when we'll be moving away from using SMBv1 for music library sharing. Our customers concerns around the vulnerability of SMBv1 have not gone unheard and we are exploring alternate options. When I do have a bit more to share, I'll come back and update this thread.



https://en.community.sonos.com/troubleshooting-228999/sonos-smb-implementation-error-900-when-adding-music-library-6765736/index1.html

Kinda throws a wrench in your little narrative, eh?
Badge
Not particularly. Awareness != commitment to fix the issue. They can explore an issue all day and do nothing about it. Cheerleading will not make the issue go away.
Yeah, i figured you'd say that. Doesn't change the fact your narrative is nonsense when conronted with the fact they acknowledged the problem and stated they are looking into options. That response alone is more indicative of their intentions than 99% of every other response, which usually says "we will pass this on to the engineers."

And as an engineer, cheerleading may not help, but obsessed posters who exaggerate the threat and constantly harp on one thing are a definite negative, resulting in placating rather than taking action, and are the very reason the phrase "fire the customer" was invented.
Badge
... posted by someone with 13000+ posts. LOL. I guess it's OK to be obsessive as long as one only takes the side of the company, eh? :D

I'll be happy to pull out my pom-poms and cheerleading uniform when Sonos delivers the goods, not sooner. :cool:
Constantin wrote:

... posted by someone with 13000+ posts. LOL. I guess it's OK to be obsessive as long as one only takes the side of the company, eh? :D

I'll be happy to pull out my pom-poms and cheerleading uniform when Sonos delivers the goods, not sooner. :cool:



And there it is, the personal attack.

For your info, I've been posting for 9 years. That's less than 4 posts a day, the majority of which are helping people. But hey, attacking the messenger instead of the message is always an effective way to argue. :8
Badge
OK I understand that Sonos has sadly become one of those companies that will only make changes if it brings in revenue, and hence why they have not bothered to enhance their code to support SMB2.

However, will a computer hosting *local files* with SMBv1 disabled (as Windows disables SMBv1 by default as it is so exploitable) be totally unusable by Sonos devices? i.e. When I try to add local folders on that machine to my library and it continually fails with the "not responding" message.
Userlevel 5
Badge +4
If the computer doesn't have SMBv1 enabled, then your Sonos devices - which are what actually do the indexing of your music library - won't be able to connect to your computer. That might explain why the controller comes back with "Not responding" when you try to add the folders (maybe the controller is waiting for a response from the Sonos device(s) that they're able to connect and are in the process of indexing the music), but the controller itself is only telling your Sonos devices to connect to your computer, it's not actually doing anything with your music.

BTW, a little motivation for Sonos to finally upgrade... Microsoft will be disabling SMBv1 in the Windows 10 update that will hit this fall, expected around October or November. It should be noted that this will be for NEW installations of Windows 10 (new computers, clean reinstallations, etc.)... upgrade/update installations will continue to have SMBv1 enabled if it had not been disabled by the user.

Maybe a little more motivation... Microsoft is maintaining a list of products that require SMBv1, so they can tell people NOT to buy those products. Yes, Sonos is on that list.
Another day (June 27th), another massive attack using the SMBv1 vulnerability. Microsoft reiterated the "Disable SMBv1" for all users, corporate AND home. I bet that an upcoming Patch Tuesday will turn off SMBv1 BY DEFAULT ... which would result in a FLOOD of support issues as every Sonos user with a music library finds that it has stopped working.

Acknowledged: some "legacy" NAS boxes use SMBv1.

Solution: Sonos moves to SMBv3.
Ideal solution: Sonos moves to SMBv3 AND offers a checkbox to revert back to SMBv1 under Advanced Settings.


Staying on SMBv1 puts Sonos users at risk as we cannot follow Microsoft's strong advice to disable SMBv1. Staying on SMBv1 puts SONOS at risk of universal customer backlash should Microsoft disable SMBv1 in a Patch Tuesday.
press250 wrote:

Staying on SMBv1 puts SONOS at risk of universal customer backlash should Microsoft disable SMBv1 in a Patch Tuesday.



It won't be a Patch Tuesday, but Windows Fall/Autumn edition will disable it by default.

Of course you can look at the Windows Sonos Controller and come to the conclusion that really no-one cares about Windows clients any more ...
Userlevel 1
Badge +1
Reading all of this SMBv1 security stuff got me thinking that just having it on an isolated LAN segment might not be enough and there could still be issues with my server. The solution for me is that I moved my Sonos music over to a Raspberry Pi computer with nothing of value on it to worry about. That let me disable the SMB on my server box.

I'm hoping whatever Sonos decides to do here gets done before Microsoft pulls the plug, that would be ugly.
Sonos,

1) Linux has supported SMBv2 for a number of years now, SMBv3 is also supported
2) As per the above statement, the ability to update the Sonos SMB support should not really be too difficult at all ... the libraries are out there. Update your Linux kernel if necessary and then the SAMBA version
3) The September / October Windows 10 Fall release that disables SMB v1 by default is just around the corner. I sure hope that the solution is NOT to turn it back on and make your customers less secure and reliant on 30+ year old technology
4) Your silence regarding this issue is unacceptable / communication with your customers instills trust ... that is definitely not what you're doing
5) Please respond with a real solution, not a workaround

Thanks,

Robert

Reply

    • :D
    • :?
    • :cool:
    • :S
    • :(
    • :@
    • :$
    • :8
    • :)
    • :P
    • ;)