Sonos support for SMB 2.0 protocol

  • 18 September 2016
  • 274 replies
  • 43890 views


Show first post
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

274 replies

Big +1 for me too. Sonos support of SMB 1.0 only shows clear lack of focus. Meanwhile, folks that want to use their music library can't or run the risk of the various active exploits.

Sonos is likely trying to figure out their upgrade story for hundreds of device permutations. Who knows, maybe some of their devices can't be updated without SMB1 running or something and they are waiting for these to die instead of fixing.

Here is a snippet from an email I sent to Sonos support on the topic so if others out there need to know the trick to getting things working (Win2k12R2):

I then looked up the reg keys that are seemingly behind SMB 1.0 and I see that "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 is set to 0 (0x00000000) in essence, it would appear that something like what is described at: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server was done on my system (likely by GPU by domain admin). As soon as I switched the setting to 1 ... and ... you guessed it ... Sonos worked just fine.
Userlevel 6
Badge +15
Just another security professional weighing in, in the hopes that more voices on the boards will encourage this as a priority to the dev team.
My understanding is that the vast majority of security professionals now regard v1 as a significant risk, and that MS are now taking it so seriously that they are likely to disable it in releases due later this year.

Having seen the response by Ryan approx 9 months ago, it is extremely disappointing to see that no progress whatsoever has been announced in this respect.

Apparently "Sonos only uses SMB for sharing your local music library off of a Windows computer or a network attached storage (NAS) drive. If your music listening is through a music service, you can have SMB disabled on your system and Sonos won't have any trouble at all. The only trouble that comes up with SMB1 disabled is for those music shares listed above."

I have seen other approaches promoted such as Plex (last time I looked, a laughably poor Sonos implementation) or uploading ones music into the cloud and streaming from there. Considering that I bought this system solely to stream music from a local NAS (and have no interest whatsoever in music streamed from the internet), it now sounds as if I will shortly have few options if I want to run a secure system. As far as I can see, my best bet is to start planning to migrate to a more modern system within the next six months or so.

What would be useful is to have a definitive statement from Sonos of what will and won't work without v1 being enabled. e.g. if v1 was left enabled on a (sacrificial) NAS, will all controllers (including Windows ones) still work when v1 is disabled in WIndows? I'm not asking for details of their future plans, just an impact assessment of turning off v1. If enough of the system would still work, then it may reduce the need to migrate elsewhere.
Userlevel 7
Badge +22
If you leave SMBv1 enabled on the NAS you can disable it on your Windows machines, once you have configured your shares. The Sonos Players are the SMB clients (via Samba as I recall), not the controllers (except during setup).
Userlevel 2
Badge
Again, this problem DOES NOT only affect Windows. https://dzone.com/articles/xdata-and-sambacry-add-to-the-whopping-number-of-d

"SambaCry uses three loopholes to exploit Linux systems:

smbd running on TCP port 445.
"nt pipe support" setting enabled in smb.conf.
A writeable share is accessible by an attacker.

To initiate an attack, the hacker uploads a shared object to the writeable share and executes a small command to make the smbd execute that shared object. This allows the hacker to attain root privileges, granting them access to the entire system. In a strategic move, hackers released SambaCry during a major U.S. holiday, making the attack more difficult to resolve. Samba has already issued a patch to resolve the issue. Apart from this, users can avoid SambaCry by disabling the "nt pipe support" setting or by blocking their TCP port 445 from untrusted sources.
"

Please stop perpetuating the myth that this is a Windows-only problem. If you believe that, you are misinformed. Yes this is an issue on the NAS, not Sonos. But Sonos requiring this legacy service to be enabled creates a security risk for users and their local networks. Also keep in mind, these aren't just bugs... The software exploiting these isn't run of the mill malware, they're NSA developed cyberweapons to exploit this vulnerability. The circumstances here are exceptional.


-Andy
So you need to have your NAS accessible to the attacker, running on port 45, and "nt pipe support" enabled? And any of these conditions set to off renders the hack impossible?

Yeah, I'm shaking in my boots. Unless I'm running a a bit torrent (which I'm not), I see no reason to enable public access to my NAS. Once again, a big to do about nothing for me.
Userlevel 2
Badge
I see no reason to enable public access to my NAS. Once again, a big to do about nothing for me.

The belief that you need public access is naive. Most attacks get a foothold on a local system through other attack vectors and then move laterally inside the network. This is why the other security professionals in addition to myself on this thread are all concerned. Do you think all the companies that got hit with SambaCry were exposing port 445 to the internet?

-Andy
I see no reason to enable public access to my NAS. Once again, a big to do about nothing for me.

The belief that you need public access is naive. Most attacks get a foothold on a local system through other attack vectors and then move laterally inside the network. This is why the other security professionals in addition to myself on this thread are all concerned. Do you think all the companies that got hit with SambaCry were exposing port 445 to the internet?

-Andy


Did you not read my statement? Let me highlight the pertinent phrases:

"I see no reason to enable public access to my NAS. Once again, a big to do about nothing for me."

I couldn't care less about "all the companies that got hit with SambaCry". That is their problem,
Userlevel 2
Badge
Great, its not a big deal for you, congratulations. That would be relevant if you were the only customer of Sonos.
Great, its not a big deal for you, congratulations. That would be relevant if you were the only customer of Sonos.

It is relevant because I am a customer of Sonos, just as your posts are relevant. Once you understand that fact, you will understand the culture of online fora and not be so defensive to people disagreeing with your level of concern.
Userlevel 1
What is the culture of the "fora" - is it like an Apple World-Wide Developer's Conference, where only loud applause, footstamping and "woo! woo!"-ing is tolerated? 😃
What is the culture of the "fora" - is it like an Apple World-Wide Developer's Conference, where only loud applause, footstamping and "woo! woo!"-ing is tolerated? :D

No. But neither is "Woe is me!", "Here there be dragons!" and "Oh why oh why won't they listen to me?" FUD allowed without challenge.

Welcome to the real world, where both sides opinions are both tolerated and encouraged. There's a lot of doom and gloom in this thread that doesn't apply to the average user. The average user should be given that information, regardless if it contradicts the apparently dire concerns of others.
If you leave SMBv1 enabled on the NAS you can disable it on your Windows machines, once you have configured your shares. The Sonos Players are the SMB clients (via Samba as I recall), not the controllers (except during setup).
So if I upgrade a controller on a Win 10 machine (without v1) will it initialise properly? ISTM this is why we need some hard info from Sonos , who surely know their own system inside out.
Userlevel 7
Badge +21
So if I upgrade a controller on a Win 10 machine (without v1) will it initialise properly? ISTM this is why we need some hard info from Sonos , who surely know their own system inside out.
Yes, the controller software itself has no need for SMBv1 to be enabled. Sonos only needs it to be available on the device(s) that hold music library data on your network. I've disabled SMBv1 on all of my Windows computers, because my NAS has all of my music stored on it, and Sonos gets it from there. If I stored my music on one of my computers, only that one computer would need SMBv1 to be enabled.
Yes, the controller software itself has no need for SMBv1 to be enabled. Sonos only needs it to be available on the device(s) that hold music library data on your network. I've disabled SMBv1 on all of my Windows computers, because my NAS has all of my music stored on it, and Sonos gets it from there. If I stored my music on one of my computers, only that one computer would need SMBv1 to be enabled.
Thanks, I'll look into it...
Badge
As a FYI for those on standard builds, part of the SMBV1 functionality has already been turned off by default (but not (yet?) fully removed) in the Windows 10 Insider Preview updates so Sonos no longer works when attempting to play or add any local music.
As a FYI for those on standard builds, part of the SMBV1 functionality has already been turned off by default (but not (yet?) fully removed) in the Windows 10 Insider Preview updates so Sonos no longer works when attempting to play or add any local music.
I've just turned it off on my Win 10 machine, and AFAICS the Windows Sonos controller seems to be working OK
As a FYI for those on standard builds, part of the SMBV1 functionality has already been turned off by default (but not (yet?) fully removed) in the Windows 10 Insider Preview updates so Sonos no longer works when attempting to play or add any local music.
I've just turned it off on my Win 10 machine, and AFAICS the Windows Sonos controller seems to be working OK

Actually, my logic doesn't hold true, as I can't see which version the six year old NAS is using...
Badge
As a FYI for those on standard builds, part of the SMBV1 functionality has already been turned off by default (but not (yet?) fully removed) in the Windows 10 Insider Preview updates so Sonos no longer works when attempting to play or add any local music.
I've just turned it off on my Win 10 machine, and AFAICS the Windows Sonos controller seems to be working OK

Actually, my logic doesn't hold true, as I can't see which version the six year old NAS is using...

The music that wouldn't work any more would be on stored on the Windows 10 machine (or any other with the protocol disabled). If it was on a NAS or another system that still had the protocol enabled a Sonos controller on a the SMBv1-disabled Windows machine can still see and initiate playback.
The music that wouldn't work any more would be on stored on the Windows 10 machine (or any other with the protocol disabled). If it was on a NAS or another system that still had the protocol enabled a Sonos controller on a the SMBv1-disabled Windows machine can still see and initiate playback.
OK - so consistent with other views above.
So it sounds like I can reduce the risk to my PCs, laptops and important NAS by simply having a sacrificial NAS for Sonos. Not desirable at all, but manageable...
Userlevel 4
The music that wouldn't work any more would be on stored on the Windows 10 machine (or any other with the protocol disabled). If it was on a NAS or another system that still had the protocol enabled a Sonos controller on a the SMBv1-disabled Windows machine can still see and initiate playback.
OK - so consistent with other views above.
So it sounds like I can reduce the risk to my PCs, laptops and important NAS by simply having a sacrificial NAS for Sonos. Not desirable at all, but manageable...

Totally agree!
Badge +1
Is there any sign from the Sonos people to take care of this missing upgrade or at least take this not as a nice to have addon? If Sonos does not care about security on this point, probably they don't care at all.
Having a device with wifi and internet connection in my internal network makes me think about not using this product at all.

I really hoppe that is not true and I just misst the announcement. ( the thread is already 10 month old ) 😞

I really hoppe that is not true and I just misst the announcement. ( the thread is already 10 month old ) :(


No, there is no change and no indication there is a fix forthcoming. That said they could be working on it now but we won't know until they release it unfortunately.
Badge
This is just arrogant on their part, and definately not customer friendly. It's a clear lack of not taking their customers and the problem at hand seriously.
Userlevel 7
Badge +21
DEF CON this week... new SMBv1 vulnerability found, and Microsoft's not fixing this one. They say just disable it. Apparently it's more of a denial of service than a security issue, but nonetheless, it's a problem with an old protocol that needs to be put out to pasture.

More info: https://www.onmsft.com/news/microsoft-wont-patch-20-yr-old-smbv1-vulnerability-you-should-just-turn-the-service-off