PSIRT Advisory

FortiOS by default disables SMBv1 support

Summary

Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due its potential downgrade, man-in-the-middle, collision and pre-image attack vulnerabilities.

The support of SMBv1 is now disabled in FortiOS SSL VPN and DLP fingerprint features and no other features support SMBv1 protocol in FortiOS.

For SSL VPN, a new CLI option is introduced and is disabled by default:

config vpn ssl web
edit portal {name}
set smb-ntlmv1-auth {enable|*disable}
next
end

To enable SMBv1, an administrator would need to set it to "enable" manually.

SMBv1 is permanently disabled for the DLP fingerprint feature.

Impact

Escalation of Privilege

Affected Products

FortiOS version 5.6.0 and below.

Solutions

Upgrade to FortiOS version 5.6.1