Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smb2-security-mode and SMB3

From: Robin Wood <robin@digi.ninja>
Date: Tue, 21 Mar 2023 18:49:10 +0000
I can't help with the dev changes but it's interesting it's been given
high, Tenable only give it CVSSv3 5.3 which is a solid medium. Is there
anything special in your environment to justify high?

Robin

On Tue, 21 Mar 2023, 18:25 JT Tyra, <jt.tyra () gmail com> wrote:


Hello Everyone,

While working through some vulnerability reports at my company, I came
across the following output from nmap, in particular the
smb2-security-mode.nse script.



Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

# Nmap done at Thu Jul 21 16:11:00 2022 -- 1 IP address (1 host up)
scanned in 1.38 seconds




The long story short here is that I believe this is a false positive. When
SMBv3 is the only available smb dialect AND smb encryption is enabled,
message signing exists. SMBv3 does an Encrypt+Sign
<https://learn.microsoft.com/en-us/archive/blogs/openspecification/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys#built-in-signing-in-smb-3x-encryption>.


The script in question here simply looks for the status of a SBMv2
security mode flag. If the flag doesn't == 0x1 or 0x2, signing_enabled or
signing_required is listed as false. It doesn't consider SMBv3 at all.

Based on my research, with SMBv3 encryption, these SMBv2 security_mode
flags are effectively depreciated.
(I believe in theory you could double sign the message by enabling SBMv3
encryption and turning on SMBv2 signing, but that doesn't make any sense...)


Overall I believe the logic for SMB message signing needs to be updated.
Before I even attempt to provide a patch for this, I would like to discuss
with the group here. At a very minimum perhaps update the message that it
prints out.

Why this matters:
My company currently has a penetration testing report with this listed as
a HIGH vulnerability. The evidence for this being a nmap scan result. We
are being asked to "fix" this high issue, when as far as I can tell its not
fixable. Also, I am going to guess I am not the only one with this issue.

Do others have thoughts on this? Am I the first to bring this up as a
discussion topic or have others?

-JT



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: