SMB1 still required in 2021 for music shares?

  • 6 February 2021
  • 35 replies
  • 5698 views

Userlevel 2

As reported in many other topics apparently it's still necessary to use SMB1 for playing music from a Synology Diskstation system? It's now 2021 and I just had to change the settings on my diskstation to allow the unsecure SMB1 in order to be able to add a shared folder to my Sonos music library.

Sonos seems to be closing all topics on this forum about this subject for further comments, but is not addressing the problem?


This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

35 replies

Userlevel 7
Badge +22

Why not work around the SMBv1 issue by using a NAS to Sonos / SMBv1 gateway?

I’d go with a Pi Zero 2 these days, about $15 if you go for a sale.

SMB v1 Gateway

Badge

 

Ideally, it’s a far better option to upgrade/switch to the new S2 Sonos system as soon as practicable.

 

I would do that, but I have a Sonos Connect that can’t upgrade to S2. Yes, I am aware that I could split my system in two, and upgrade the rest, but that would pretty much be removing the whole point of Sonos and rendering the Connect fairly useless. If they flipped the 30/70 discount on a trade-in (that is, if I could pay 30% of the new price, rather than just getting a 30% discount), I might consider it, even though the unnecessary e-waste would still be regrettable.

Yes, that is stupid.

But at least we have a choice between a known exploitable SMB1 setup, and Plex. 

Having said that. Sonos should have fixed this.

Which must surely be just as exploitable if you leave the TCP Port open (usually port 32400 by default) and not have the Plex service running on that port because you have shut down the Plex server, or have enabled UPNP on your router in order to use a dynamically assigned TCP port … I think I prefer to take my chances with SMBv1 given the choice.

It’s mentioned in various threads here that Sonos were not able to upgrade the SMB protocol on the ‘old’ Linux kernel, but they were able to introduce it on the newer S2 setup - that has now been done.

Ideally, it’s a far better option to upgrade/switch to the new S2 Sonos system as soon as practicable.

Yes, that is stupid.

 

But at least we have a choice between a known exploitable SMB1 setup, and Plex. 

 

Having said that. Sonos should have fixed this.

Badge

One problem with Plex as a workaround is that even if your NAS and your Sonos are on the same LAN, and you do *not* desire to be able to access your music externally, Plex doesn’t work if you don’t allow outside connections from the public Internet. Which IMHO is a stupid design decision that unnecessarily compromises security.

I’ve found a workaround for using S1 with a Synology NAS without activating SMB1.

  1. Create a free Plex account. A free Plex account won’t work on mobile stand alone, but that’s not an issue for our use case.
  2. Install Plex via Package manager on your Synology. From there, point Plex towards your music share folder.
  3. Add a music service in your S1 Sonos setup and look for Plex
  4. All set! Play all your lossless files without compromising security. Sonos’ in app search function will also look within Plex which is great.

You might need to add a wired connection to your Connect as I encountered bandwidth issues. But with an ethernet cable plugged in, this setup ran smoothly.

for those who want to try it, I have SMBv2 working fine with my Synology NAS - see my post here

 

So with the new Update 13.4 its Support now SMB2 and SMB3. 

 

“If you have problems with album covers: I have them too. Obviously they are not quite finished with SMB2 and SMB3, because otherwise you would have announced the possibility in a big way. The Sonos 13.4 changelog only officially included other improvements”

 

Source: https://stadt-bremerhaven.de/sonos-unterstuetzt-endlich-smb2-und-smb3/

Badge

Yes, this is ridiculous. But don’t just complain here, complain directly to Sonos.

Sadly, they no longer accept email at support@sonos.com

You can open a real time chat, which is mildly annoying. The person claimed “This case will be added on the list of customers that have the same concern.” I have no clue if that’s a lie or not, but it can’t hurt to try.

 

The best solution is to use Plex, instead of a fileshare.

this have the bonus of providing access from a phone or desktop pc to the music library everywhere.

Thank you for this! Genius and I just killed SMB1 on my Synology. Works great and now secure. Love me some Plex. 

Userlevel 7
Badge +17

In the Sonos system all speakers need to be on the same software. That’s probably why you can’t have some speakers on SMBv1 and others on v2.

Airgetlam, I know that Sonos is ignoring the SMBv1 security issue because SMBv2 was released by Microsoft in 2006.  It’s been 15 years.  If they were going to provide SMBv2 support, they would have done so by now.

There are several misconceptions that I see throughout these threads regarding SMB v1, v2, and v3 with regards to Sonos (and Denon, too).  The first misconception is that Sonos has to change the protocol on all their old devices.  What kind of development roadmap and product-line architecture prevents you from introducing improvements into new products because your old products can’t support them.  Sonos (and Denon) could let new products support SMBv2, while older units continue to support only SMBv1.  The new units could even support both v2 and v1.  This would allow owners of old Sonos products to work with a NAS that supports SMBv1, and new Sonos products to work with a NAS that supports SMBv2.  Sucks for owners of older Sonos products, though.

The second misconception is that a NAS can support only one version of SMB.  That is certainly not true for Synology DSM.  DSM 7 allows you to configure the minimum supported version of SMB as low as v1, with a default of v2. The maximum version is v3.

The third misconception is that SMBv2 is more complex than SMBv1.  Actually, in some ways it is less so.  SMBv1 has over 100 commands and subcommands.  SMBv2 has just 19.  SMBv2 also eliminates many of the underlying protocols that SMBv1 supports:  NetBIOS over IPX, NetBIOS over UDP and NetBEUI.

The fourth misconception is that a separate NAS just for streaming to Sonos is secure because it limits the vulnerability just to this single-purpose NAS.  Unfortunately, having any SMBv1 devices on your LAN compromises the entire LAN.

I’ve been thinking about an SMB gateway running on a Raspberry Pi that accesses an SMB v2 or v3 share (from a NAS), and re-shares it as SMBv1 (for shameful speaker-manufacturers’ products).  With a firewall on this host configured to allow access only to the NAS and the Sonos devices it might provide reasonable security, but I haven’t finished my evaluation.  It would be very important, though, to ensure that no other devices on the LAN have access to this gateway.

I think that Sonos’s (and Denon’s) failure to provide SMBv2 support in new products is very disrespectful to their customers.  As with many companies that don’t really understand security (or even the need for security), they think it’s OK to ignore their customers’ security needs as long as sales are good.  For shame.

 

I don't know where you are getting these "misconceptions" from, but it's not here.  Nobody ever stated them.  Matter of fact, the fact that S2 will allow Sonos to upgrade to a higher version of SMB was expressly stated as one of the benefits of the S2 split.

@rbandes,

Have you not seen this, posted by another user here with regards to a reply from Sonos CEO on this topic?

https://en.community.sonos.com/advanced-setups-229000/smb1-security-issue-lack-of-response-from-sonos-6860761?postid=16551779#post16551779

 

Airgetlam, I know that Sonos is ignoring the SMBv1 security issue because SMBv2 was released by Microsoft in 2006.  It’s been 15 years.  If they were going to provide SMBv2 support, they would have done so by now.

There are several misconceptions that I see throughout these threads regarding SMB v1, v2, and v3 with regards to Sonos (and Denon, too).  The first misconception is that Sonos has to change the protocol on all their old devices.  What kind of development roadmap and product-line architecture prevents you from introducing improvements into new products because your old products can’t support them.  Sonos (and Denon) could let new products support SMBv2, while older units continue to support only SMBv1.  The new units could even support both v2 and v1.  This would allow owners of old Sonos products to work with a NAS that supports SMBv1, and new Sonos products to work with a NAS that supports SMBv2.  Sucks for owners of older Sonos products, though.

The second misconception is that a NAS can support only one version of SMB.  That is certainly not true for Synology DSM.  DSM 7 allows you to configure the minimum supported version of SMB as low as v1, with a default of v2. The maximum version is v3.

The third misconception is that SMBv2 is more complex than SMBv1.  Actually, in some ways it is less so.  SMBv1 has over 100 commands and subcommands.  SMBv2 has just 19.  SMBv2 also eliminates many of the underlying protocols that SMBv1 supports:  NetBIOS over IPX, NetBIOS over UDP and NetBEUI.

The fourth misconception is that a separate NAS just for streaming to Sonos is secure because it limits the vulnerability just to this single-purpose NAS.  Unfortunately, having any SMBv1 devices on your LAN compromises the entire LAN.

I’ve been thinking about an SMB gateway running on a Raspberry Pi that accesses an SMB v2 or v3 share (from a NAS), and re-shares it as SMBv1 (for shameful speaker-manufacturers’ products).  With a firewall on this host configured to allow access only to the NAS and the Sonos devices it might provide reasonable security, but I haven’t finished my evaluation.  It would be very important, though, to ensure that no other devices on the LAN have access to this gateway.

I think that Sonos’s (and Denon’s) failure to provide SMBv2 support in new products is very disrespectful to their customers.  As with many companies that don’t really understand security (or even the need for security), they think it’s OK to ignore their customers’ security needs as long as sales are good.  For shame.

Userlevel 2

The best solution is to use Plex, instead of a fileshare.

this have the bonus of providing access from a phone or desktop pc to the music library everywhere.

Userlevel 7
Badge +22

If you can put a firewall rule set in place to keep your SMB v1 NAS off the Internet completely that is a reasonable choice.

The problem with a lot of these devices is that they want access to remote servers/services and are aggravating in various ways if they don’t get it. Some stuff you can spoof to a local server like NTP but other stuff is more difficult or impossible to spoof.

I originally went the “cheap NAS” route, soon discovered WD had abandoned it and wasn’t providing security updates. I felt it wasn’t safe to leave on line at that point.

I can’t say that I’m overly bothered - it’s not exposed to the outside world, so they need to get into my network first.

No big deal which way you go aside from enabling SMB v1 on a NAS holding important data. That is a non-starter in my opinion.

Absolutely - all my non-Sonos data is on a much more secure Synology.

 

 

Userlevel 7
Badge +22

I originally went the “cheap NAS” route, soon discovered WD had abandoned it and wasn’t providing security updates. I felt it wasn’t safe to leave on line at that point.

If you look at the Pi SMB v1 setup instructions it is dead simple and only takes a few minutes. The Pi is designed to keep getting security and other updates for the foreseeable future.

SMB v1 Gateway

No big deal which way you go aside from enabling SMB v1 on a NAS holding important data. That is a non-starter in my opinion.

I just upgraded to DSM 7and had to search the internet after my music share stopped working. Why has Sonos not fixed this yet ?


Same here, it is not acceptable. I am looking for an alternative product to Sonos.

Perhaps see this LINK


Thank you Ken. Unfortunately I own a Play:5 S1, I have to surrender to the idea of not using it for my local playlist anymore, or opting for a CIFS gateway with a Raspberry. Or again, make an investment in a new product.

Why not just buy something sacrificial, instead of using your Synology? Much cheaper than changing your Sonos kit for something else - and much easier to set up than the raspberry option.

I use a cheap NAS - it’s been running virtually non-stop for 10 years, now. When it fails I’ll just slot another cheap one in running SMB1.

I just upgraded to DSM 7and had to search the internet after my music share stopped working. Why has Sonos not fixed this yet ?


Same here, it is not acceptable. I am looking for an alternative product to Sonos.

Perhaps see this LINK


Thank you Ken. Unfortunately I own a Play:5 S1, I have to surrender to the idea of not using it for my local playlist anymore, or opting for a CIFS gateway with a Raspberry. Or again, make an investment in a new product.

I just upgraded to DSM 7and had to search the internet after my music share stopped working. Why has Sonos not fixed this yet ?


Same here, it is not acceptable. I am looking for an alternative product to Sonos.

Perhaps see this LINK

I just upgraded to DSM 7and had to search the internet after my music share stopped working. Why has Sonos not fixed this yet ?


Same here, it is not acceptable. I am looking for an alternative product to Sonos.

I just upgraded to DSM 7and had to search the internet after my music share stopped working. Why has Sonos not fixed this yet ?

I am not aware of Sonos closing any thread on this dead-horse-beating topic. The largest thread I think is this one:

Sonos has shown no signs of addressing this problem, correct. Because, I assume, too few customers use NAS devices to make it worth their while, and there are other work-arounds available.

in my humble opinion this assumption has not been confirmed by SONOS - let us just hope Synology will not drop SMBv1 support some day

 
 

At present, the next major release of DSM, DSM 7, has dropped support for SMB1. There is currently a workaround, but I wouldn’t count on it for release, or for long term support. See - https://community.synology.com/enu/forum/20/post/139200

Thanks for the heads up Dave. I rest my case. Besides the poor NAS support, SONOS has also failed to provide adequate Apple Music playlist support for macOS users. Moreover, the SONOS playlists lack comprehensive resume functionality. 

 
Userlevel 7
Badge +22

There are other work-around options, a NAS to SMB v1 gateway on a Raspberry Pi Zero W is my favorite solution.

Far better in my opinion than enabling SMB v1 on your NAS.