Nmap Development mailing list archives
smb2-security-mode and SMB3
From: JT Tyra <jt.tyra () gmail com>
Date: Tue, 21 Mar 2023 13:25:08 -0500
Hello Everyone, While working through some vulnerability reports at my company, I came across the following output from nmap, in particular the smb2-security-mode.nse script.
Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required # Nmap done at Thu Jul 21 16:11:00 2022 -- 1 IP address (1 host up) scanned in 1.38 seconds
The long story short here is that I believe this is a false positive. When SMBv3 is the only available smb dialect AND smb encryption is enabled, message signing exists. SMBv3 does an Encrypt+Sign <https://learn.microsoft.com/en-us/archive/blogs/openspecification/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys#built-in-signing-in-smb-3x-encryption>. The script in question here simply looks for the status of a SBMv2 security mode flag. If the flag doesn't == 0x1 or 0x2, signing_enabled or signing_required is listed as false. It doesn't consider SMBv3 at all. Based on my research, with SMBv3 encryption, these SMBv2 security_mode flags are effectively depreciated. (I believe in theory you could double sign the message by enabling SBMv3 encryption and turning on SMBv2 signing, but that doesn't make any sense...) Overall I believe the logic for SMB message signing needs to be updated. Before I even attempt to provide a patch for this, I would like to discuss with the group here. At a very minimum perhaps update the message that it prints out. Why this matters: My company currently has a penetration testing report with this listed as a HIGH vulnerability. The evidence for this being a nmap scan result. We are being asked to "fix" this high issue, when as far as I can tell its not fixable. Also, I am going to guess I am not the only one with this issue. Do others have thoughts on this? Am I the first to bring this up as a discussion topic or have others? -JT
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at https://seclists.org/nmap-dev/
Current thread:
- smb2-security-mode and SMB3 JT Tyra (Mar 21)