Guest

Preview Tool

Cisco Bug: CSCuo70696 - Add support for native SMBv2 and SMBv3 protocols

Last Modified

Nov 18, 2020

Products (1)

  • Cisco IronPort Web Security Appliance Software

Known Affected Releases

10.1.0-204 10.1.1-230 7.7.0-725 9.1.1-074

Description (partial)

Symptom:
WSA appliance showing following error messages while they were trying to join the domain:
 
 Error 	? 	Computer Account creation failed.
 
 Warning: Cannot check system time on AD server 'IP_ADDRESS'
 Warning: Cannot check system time on AD server 'IP_ADDRESS'

Conditions:
Cisco WSA is NOT exploitable by the WannaCry suite of Malware, however it requires SMBv1 protocol for communication with Microsoft Active Directory.

All versions of Cisco Web Security Appliance (WSA) and WSAv currently support only SMBv1 protocol for communication with Microsoft Active Directory.

Therefore, in light of the newest WannaCry ransomware, for customers that would prefer to continue using Cisco WSA and Microsoft AD together, Cisco are proposing following short-term and long-term mitigation plans:
 
Short-term Plan
* Instead of disabling SMBv1 protocol on Microsoft Active Directory completely (that is one of the workarounds Microsoft suggested), in order for WSA – Microsoft AD integration to continue working properly, we recommend customers to patch their systems using the patch supplied by Microsoft: (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
* In addition to this, customers are advised to configure Enterprise perimeter firewalls to block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports: 137, 138, 139, 445.
 
This will help keep vulnerable machines on your network from being infected by systems outside of it.
 
Longer-term Plan
 
Cisco is currently working on implementing feature request tracked via this Cisco Bug ID CSCuo70696: “Add support for native SMBv2 protocol”.
Support for SMBv2 and SMBv3 protocols on WSA is currently under development, and will be released for existing, and future releases of WSA by Q4CY17.

Related Community Discussions

WSAv supports SMBv1 only
this needs to be fixed to support SMBv2/3 rapidly, inline with guidance from Microsoft for mitigation of WannaCry and future exploits against the SMBv1 protocol. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Current stance from Cisco of "just enable SMBv1 again" isnt acceptable.
Latest activity: May 18, 2017
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.