Windows XP - not working on UCS 5.0-0?

mschlee · September 15, 2021, 2:21pm

Hi all - I managed to update my UCS installation to 5.0-0. Since then our Document scanner ScanSnap N1800 does not work anymore. This is a fairly old machine running Windows XP as its firmware. It claimed that it could not find any LDAP server anymore. I removed it from the domain and then tried to rejoin. Rejoining did not work.

The thing worked like a charm until UCS 4.4-8. I had the UCR variable samba/ntlm/auth set to Yes. I also tried to change the ScanSnap’s LanMan settings to respond with NTLMv2. This did not help to rejoin.

Any ideas where to look at and what to tweak with ?

Thanks - Martin

msi · September 16, 2021, 4:46pm

Hi

This could be due to the bump in the TLS stack (OpenSSL) between UCS 4.4 (Debian 9 / OpenSSL 1.1.0) and 5.0 (Debian 10 / OpenSSL 1.1.1). That device seems to be based on Windows XP embedded, and might only be doing plain LDAP?

I have seen all sorts if things fail, when one starts eforcing TLS 1.2 and some old devices which would support TLS 1.2 fail when TLS 1.3 is offered as is supported with OpenSSL 1.1.1…

mschlee · September 16, 2021, 6:39pm

After some searching I found out that since Samba 4.11 SMB1 is no longer available by default. Tweaking some parameters helps here. I set in UCR

samba/client/min/protocol = NT1
samba/min/protocol = NT1

and typed the following command to restart samba

/etc/init.d/samba restart

Afterwards I could join the machine back to the system.

Maybe this helps others …

msi · September 17, 2021, 7:06am

SMB 1 … ouch, I have almost forgotten that the very first Windows OS to support SMB 2 was Windows Vista. Even Microsoft has been banging the drum about getting rid of SMB1 for several years now, yet I am fully aware of not very old devices still being stuck on the insecure SMB 1 protocol version.

Please consider replacing this network scanner when budget allows. I also dislike replacing working myself, but this scanner is likely 10 years old by now.

mschlee · September 17, 2021, 9:09am

Yes - security issue here, security issue there - that produces a lot of electronic trash against all efforts for sustainability. What is the actual danger to use SMB1 as long as you do not allow strangers to connect to your network ?

krmbrst · September 17, 2021, 9:29am

Well, just because you don’t allow them to do so doesn’t mean they won’t come anyway. Seriously: I really like that you don’t follow the trend of unnecessarily replacing usable hardware. But in this case which causes a severe security issue I see only two options: Replacing the scanner or physical separation of the network (including no connection to the internet) in which it is operated.

mschlee · September 17, 2021, 10:21am

What IS the issue ? Assuming that we have a working firewall blocking access to SMB1 from the internet the issue is that either a malicious web site or a malicious E-mail takes partly control over a client machine which has been logged in to SMB2 or higher anyway. What is the particular danger here ?

msi · September 20, 2021, 7:23am

What IS the issue ?
The main issue is that SMB1 is a very old protocol (it was officially called SMB 1.0 with Windows 2000 its roots date back to the early 1980’s) and is lacking modern features that have been added to provide better performance, robustness, integrity and security.

While you can block SMB from the internet (which you should anyway) you cannot allow SMB1 for specific devices - at least not that easily if at all internally. SMB1 and newer use the same TCP/UDP ports.

For this only device you had to re-enable said protocol version for all your (internal) clients. If another internal system gets compromised with Ransomware such as WannaCry, it may explicitely try to use SMB1 and as such your server remains vulnerable to these kind of attacks. There are other readily available articles outside of this forum written by people who are able to explain this in more details as to even why SMB1 is considered insecure even for internal networks.

Samba has defaulted to disabling SMB1 for 2 years now with the release of Samba 4.11 and Microsoft have been begging others to stop using SMB1 since 2016. In the end you have to weigh the risks.

jottschi · September 20, 2021, 9:55pm

Hi,
to seperate these old irons (or plastics) from the production network you can search the web with following buzzwords: “raspberry bridge smb1”
Maybe you can find some ideas… as This idea…