PSIRT Advisory

FortiOS by default disables SMBv1 support


Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due its potential downgrade, man-in-the-middle, collision and pre-image attack vulnerabilities. 

The support of SMBv1 is now disabled in FortiOS SSL VPN and DLP fingerprint features and no other features support SMBv1 protocol in FortiOS.

For SSL VPN, a new CLI option is introduced and is disabled by default:

config vpn ssl web
  edit portal {name}
     set smb-ntlmv1-auth {enable|*disable}

To enable SMBv1, an administrator would need to set it to "enable" manually.

SMBv1 is permanently disabled for the DLP fingerprint feature.


Escalation of Privilege

Affected Products

FortiOS 5.6 branch: 5.6.0 to 5.6.2
FortiOS 5.4 branch: 5.4.0 to 5.4.6
FortiOS 5.2 and below versions.


Upgrade to FortiOS version 5.6.3 or 5.4.7