Sonos support for SMB 2.0 protocol

  • 18 September 2016
  • 274 replies
  • 39919 views


Show first post

274 replies

Badge
DEF CON this week... new SMBv1 vulnerability found, and Microsoft's not fixing this one. They say just disable it. Apparently it's more of a denial of service than a security issue, but nonetheless, it's a problem with an old protocol that needs to be put out to pasture.

More info: https://www.onmsft.com/news/microsoft-wont-patch-20-yr-old-smbv1-vulnerability-you-should-just-turn-the-service-off


there musst be a major problem in the sonos development organisation or even worse. there is no scenario I can imagine of a company does no communication about the progress of a major security problem and let a core function brocken over months ... I'm relly wonder what happen ...
Userlevel 7
Badge +21
So it sounds like I can reduce the risk to my PCs, laptops and important NAS by simply having a sacrificial NAS for Sonos. Not desirable at all, but manageable...

That is the solution I'm using now, don't need the grief that is a possibility even though I rarely have a Windows machine powered on here. Instead of chancing my NAS that has stuff I need on it I just put in a Raspberry Pi computer for serving my music. Cheap, simple and working perfectly.
Sonos, you need to fix this now! I'm pretty sure your CEO would not like the bad press if all of your customers get hacked because you are too lazy to fix this.
Userlevel 6
Badge +15
The vulnerability in SMBv1 that both WannaCry and Petya take advantage of has already been patched by Microsoft, even for Windows XP, which Microsoft hasn't supported for a couple of years. If you keep your computer up to date with security updates, you should be fine, at least until a new exploit is discovered.

It should also be noted that the SMBv1 vulnerability being exploited applies only to Windows, and nothing else. So a NAS (since most NAS devices run some kind of Linux) that supports SMBv1 should be fine for storing your music on your network if you want to turn off SMBv1 on your Windows computers. Most NAS devices support most, if not all, versions of SMB/CIFS.

I don't expect Sonos to have this fixed in weeks. I don't even expect it to be in the next software update they release. Maybe two or three from now... but hopefully, in order to prevent a support nightmare for themselves, they'll have it done before Microsoft releases the next major update to Windows 10 this fall. Any new computers or clean Windows 10 installations after that update will have SMBv1 disabled.


http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Here's an SMBv1 vulnerability that can't be patched. MS's answer is insufficient - blocking at the boundary is ineffective against client-side attacks, which are the most common now. Someone emails you a PDF, you open it, and you're infected inside your firewall. Client-side attacks depend upon the same trust model we use for valid users and software inside the network. If we can't patch and can't shut off SMBv1 because of Sonos' protocol dependency, what can you do to defend yourself?
Userlevel 6
Badge +15
So it sounds like I can reduce the risk to my PCs, laptops and important NAS by simply having a sacrificial NAS for Sonos. Not desirable at all, but manageable...

That is the solution I'm using now, don't need the grief that is a possibility even though I rarely have a Windows machine powered on here. Instead of chancing my NAS that has stuff I need on it I just put in a Raspberry Pi computer for serving my music. Cheap, simple and working perfectly.


As has been mentioned, Samba on Linux has also been vulnerable to SMBv1 attacks, so a sacrificial NAS could be a very apt description. Almost every consumer NAS is based upon Samba on an embedded Linux. The worst part about this is the infrequency of updates. This is a regular problem with the IoT - updates and developer attention to security post-sale is usually substandard and frequently non-existent. Does your NAS vendor provide security updates, or expect you to toss your old NAS and buy a new one? This Sonos issue we're upset about is just zooming in on one branch of the giant fractal that is IoT security.
Userlevel 7
Badge +21
The vulnerability in SMBv1 that both WannaCry and Petya take advantage of has already been patched by Microsoft, even for Windows XP, which Microsoft hasn't supported for a couple of years. If you keep your computer up to date with security updates, you should be fine, at least until a new exploit is discovered.

It should also be noted that the SMBv1 vulnerability being exploited applies only to Windows, and nothing else. So a NAS (since most NAS devices run some kind of Linux) that supports SMBv1 should be fine for storing your music on your network if you want to turn off SMBv1 on your Windows computers. Most NAS devices support most, if not all, versions of SMB/CIFS.

I don't expect Sonos to have this fixed in weeks. I don't even expect it to be in the next software update they release. Maybe two or three from now... but hopefully, in order to prevent a support nightmare for themselves, they'll have it done before Microsoft releases the next major update to Windows 10 this fall. Any new computers or clean Windows 10 installations after that update will have SMBv1 disabled.


http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Here's an SMBv1 vulnerability that can't be patched. MS's answer is insufficient - blocking at the boundary is ineffective against client-side attacks, which are the most common now. Someone emails you a PDF, you open it, and you're infected inside your firewall. Client-side attacks depend upon the same trust model we use for valid users and software inside the network. If we can't patch and can't shut off SMBv1 because of Sonos' protocol dependency, what can you do to defend yourself?


The first line of defence is the most unreliable (or rather vulnerable) one - the human factor.
You don't plug a USB into your computer unless you KNOW it is safe (Or at least as sure as you can be. EG you don't plug one in you find lying about).
You don't open an e-mail from somebody you don't know and the subject line is not relevant in any way to you.
You don't open an attachment unless you have a high degree of confidence it is from somebody you know and THEY actually sent it rather than an infection on their computer or ISP.
You don't visit dodgy web-sites (careful with those Google searches!)
You keep your AV and OS software up to date.

You absolutely do NOT rely on others to protect you. If you do then you are prime fodder for ne'er-do-wells.
Userlevel 6
Badge +15
And in a group situation/non-techie situation, those don't work. Even experienced security professionals accidentally click the wrong things or get phished regularly. "You should block at the boundary, so we're not gonna fix this" is the wrong answer. Vendors have an implicit responsibility to patch known problems or provide mitigation plans that don't decimate functionality.
Userlevel 7
Badge +21
Almost every consumer NAS is based upon Samba on an embedded Linux. The worst part about this is the infrequency of updates. This is a regular problem with the IoT - updates and developer attention to security post-sale is usually substandard and frequently non-existent. Does your NAS vendor provide security updates, or expect you to toss your old NAS and buy a new one?

My original NAS was a Western Digital Live Drive, one that WD has apparently abandoned as it hasn't had an available update for many years now. Aside from the security issues it is an RF noise source that interferes with my Sonos networking. My answer was to scrap it and not get suckered into another WD device I had no control over.

I replaced the WD NAS with a $35 Raspberry Pi computer running Samba hooked to a salvaged SSD for music storage. A hard drive with a USB adapter cable would do as well if you don't have an SSD or one big enough for your music.

The PI has a great update system that I run weekly, plus I have full control over just what the Pi is doing.

The setup was very simple with great tutorials on the PI community site so most folks could accomplish the same thing. The Pi is very under utilized, even with three streams running from my music library the CPU use and temperature are low.
Just talked to an sonos support engineer, I am "surprised", not to say shocked, that there is no SMB2-support at least. And there is no concrete plan of chaning it. Is there anyone still working at sonos watching security notices? Or no security engineer cares about that? Developing more gadgets eates up all the time? I cannot imaging that it seems to be "not important" fixing this widely known security issue. Switching off connection to the music folders, this means a lack of quality. Hey guys, I bought 5 devices! Spend a lot of money, thinking this is the right solution. Do I have to change my mind? I told everyone sonos is the best solution; -- shall I stop telling that? 😠
Badge
Just talked to an sonos support engineer, I am "surprised", not to say shocked, that there is no SMB2-support at least. And there is no concrete plan of chaning it. Is there anyone still working at sonos watching security notices? Or no security engineer cares about that? Developing more gadgets eates up all the time? I cannot imaging that it seems to be "not important" fixing this widely known security issue. Switching off connection to the music folders, this means a lack of quality. Hey guys, I bought 5 devices! Spend a lot of money, thinking this is the right solution. Do I have to change my mind? I told everyone sonos is the best solution; -- shall I stop telling that? :@

I asked some time ago Sonos Germany and got this answer:

"Wir sind uns des Problems durchaus bewusst. Es sind auch Bestrebungen im Gange hier eine Lösung zu finden.
Dies muss aber erst sauber implementiert und getestet werden und das nimmt Zeit in Anspruch. Das Problem wird mit einem zukünftigen Update angegangen, wir können aber noch nicht genau sagen wann."

I'm shocked to... 😞
I asked some time ago Sonos Germany and got this answer:

"Wir sind uns des Problems durchaus bewusst. Es sind auch Bestrebungen im Gange hier eine Lösung zu finden.
Dies muss aber erst sauber implementiert und getestet werden und das nimmt Zeit in Anspruch. Das Problem wird mit einem zukünftigen Update angegangen, wir können aber noch nicht genau sagen wann."

I'm shocked to... :-(

Warum? Weil man keine Husch-Pfusch-Lösung anbietet?
neiI asked some time ago Sonos Germany and got this answer:

"Wir sind uns des Problems durchaus bewusst. Es sind auch Bestrebungen im Gange hier eine Lösung zu finden.
Dies muss aber erst sauber implementiert und getestet werden und das nimmt Zeit in Anspruch. Das Problem wird mit einem zukünftigen Update angegangen, wir können aber noch nicht genau sagen wann."

I'm shocked to... :-(

Warum? Weil man keine Husch-Pfusch-Lösung anbietet?


Nein, sondern weil dieses Thema 11 Monate alt ist, Sicherheitslücken schon lange bekannt und sich seitdem NICHTS getan hat! Da kann man wohl kaum von Husch-Pfusch sprechen. Die oben zitierte Arroganz paßt da schon eher.
Software developing and (beta)testing needs its time.
Software developing and (beta)testing needs its time.
Knowing this, developing should have started 2007, having everything finished with quality check and even gamma tests until 2009! It seems sonos slept 7 years too long.
Badge
Software developing and (beta)testing needs its time.
yes, true. but since the release of samba 3.6.0 August 9, 2011 the opensource version of smb2 is out.
6 years ... and nothing happens....
With multiple supported online streaming services in their portfolio, one could think that Sonos simply stopped caring about users with local music libraries at a certain stage. When you look at how people in their twenties (or even younger) consume music nowadays, our combined gigaflops of accumulated locally stored music files simply do not match younger customer's listening habits anymore.

With Spotify, AppleMusic et al now combining the listening experience with social media interaction and algorhythms proposing new, yet unknown tracks according to the listener's preferred music styles, a local collection of beloved, but well-known songs seems a bit yesterdayish - at least to said youngsters.

Note that this comment should not be taken as a justification for the indeed cumbersome Samba support (as well as the slow, but yet forced death of the Windows desktop controller), but rather as an explanation for Sonos' obvious lack of interest in this matter.
With multiple supported online streaming services in their portfolio, one could think that Sonos simply stopped caring about users with local music libraries at a certain stage.

tl:dr: sonos is too busy working on things for youngsters (whoever that is) and has no time for security issues and upgrading boring things for old people and weirdos with local libraries.

Joking aside, your main point is true I think. The context is Sonos announced a large number of layoffs spring 2016 and IIRC the reports where that it was people who were mostly working on local library stuff who were let go.

Bit of a pattern, Sonos hasn't bothered to update their STP implementation either. Not a security issue, but still. For example, this discussion dating back 7 years. https://en.community.sonos.com/troubleshooting-228999/sonos-and-the-spanning-tree-protocol-16973

IPV6 -? I don't think they are implementing this either.

IMO they shouldn't ignore this, leaving STP and IPV6 aside, security issues should get priority.
Today a technician from the German board stated on a non-related topic »Sonos braucht zur Zeit noch SMB1 um auf Freigaben zugreifen zu können« (»Sonos currently requires SMB1 in order to manage file shares«), which indicates that they are working on a SMB security update.
Userlevel 2
Badge +1
While not fluent I do speak some German (and a lot of technology/product management.) I would not say this indicates that they are working on an SMB security update. Saying "at the moment" is more of a colloquial way of talking than a measured statement about the future.

My gut says they are trying to figure out what to do here, but I would not say this is an indication. Unfortunately the vast majority of customers are probably not using a NAS, so while it bothers a number of us, we are not the vast majority so the speed of a solution is not primary for them.
While not fluent I do speak some German (and a lot of technology/product management.) I would not say this indicates that they are working on an SMB security update. Saying "at the moment" is more of a colloquial way of talking than a measured statement about the future.
No, I'll try to explain. The technician wrote 'zurzeit' wrong since 'zur Zeit' bears another meaning (it's actually used in a historical context).
Userlevel 2
Badge +1
Again, I am not a native speaker but I speak it enough to get by (used to go there a lot on business.) "Zur zeit" literally translates to "for (the) time". But my work with Germans has always led me down the path of not trying to read things into their statements as they (and their language) tends to be incredibly precise. I worked in semiconductors and there was always a lot of speculation and the Germans were very careful not to use statements that implied other things.

My two cents (as I said before) is that a.) the engineer was not implying anything and b.) Sonos is well aware of this and trying to work out a solution.

I am not saying that they are not working on this, only that using an engineer's statement to prove your point is probably not justified. I believe the bigger justification is that MSFT is dropping support for SMB v1 and that is going to have a bigger impact on getting Sonos off the dime than customers.
As I said, he spelled it incorrectly. See here. That is all I know.
Any updates? This is crazy... I just purchased a new NAS and no, it doesn't support SMB1 so now I can't use my Sonos system? Really?
Any updates? This is crazy... I just purchased a new NAS and no, it doesn't support SMB1 so now I can't use my Sonos system? Really?
Yup, really.... Unless you can enable SMB1 on the NAS - some still have it, but switch it off by default...
Badge
Any updates? This is crazy... I just purchased a new NAS and no, it doesn't support SMB1 so now I can't use my Sonos system? Really?

yes and yes sonos does not showing any sign fixing this ... you can only move to an other product or run a proxy smb1 server for connecting sonos.

Reply