topic Thank you Thomas, in Web Security

WSAv supports SMBv1 only

thomas wing — Mon, 15 May 2017 11:33:21 GMT

this needs to be fixed to support SMBv2/3 rapidly, inline with guidance from Microsoft for mitigation of WannaCry and future exploits against the SMBv1 protocol.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Current stance from Cisco of "just enable SMBv1 again" isnt acceptable.

I am also currently facing

abadcabassa — Tue, 16 May 2017 16:49:10 GMT

I am also currently facing this. SMBv1 is insecure and cannot be used. If Cisco doesn't do something about this we may have to decommission the product and go with a vendor who does support proper protocols.

Can anyone give insight to the AD agent that can be installed on the AD servers? Would this still require SMB at all to authenticate users?

There isn't an agent that

Ken Stieers — Tue, 16 May 2017 17:01:59 GMT

There isn't an agent that gets installed on the AD servers.

You can deploy the CDA, a VM that is given access to the AD boxes. It scrapes the EventLog to get logins and IP's and passes that info to the WSA (and ASA).

You can also use ISE to do something similar.

Thank you Ken,

abadcabassa — Tue, 16 May 2017 17:16:06 GMT

Thank you Ken,

That clears some things up for me. Do you know if the solution via CDA would utilize SMBv1 at any point? I cant stress how important moving away from SMBv1 is as Thomas mentioned above.

We're currently using the CDA

thomas wing — Tue, 16 May 2017 17:25:38 GMT

We're currently using the CDA, however this still requires a domain join on the WSA (even for transparent identity) which still leverages SMBv1

I'm still waiting for cisco

thomas wing — Tue, 16 May 2017 17:27:04 GMT

I'm still waiting for cisco to release new code with support for v2/v3. Have a TAC case open and now just waiting

Thank you Thomas,

abadcabassa — Tue, 16 May 2017 17:28:52 GMT

Thank you Thomas,

That helps so I don't need to waste time going through an approval process to test it. Hopefully CIsco considers this a top priority.

I noticed 10.1.1 build 234 is

abadcabassa — Wed, 17 May 2017 16:58:06 GMT

I noticed 10.1.1 build 234 is available as of yesterday. Anyone got information regarding to this possibly having a fix?

I have a gc with SMB1 removed

Ken Stieers — Wed, 17 May 2017 17:40:15 GMT

I have a gc with SMB1 removed...

Time check still fails when I test against it using 10.1.1-234

Thank you. I had the same

abadcabassa — Wed, 17 May 2017 19:12:10 GMT

Thank you. I had the same findings.

they really dont class it as

thomas wing — Thu, 18 May 2017 07:29:42 GMT

they really dont class it as urgent per their own annoucement:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir

Support for SMBv2 and SMBv3 protocols on WSA is currently under development, and will be released for existing, and future releases of WSA by Q4CY17.

needless to say, we are displeased and are speaking with cisco regarding this, i recommend other do the same, more noise and cases that are raised for this will push it up their development timeframe.

Thank you Thomas,

abadcabassa — Thu, 18 May 2017 13:22:11 GMT

Thank you Thomas,

We will also be contacting Cisco about this.