Symptoms
EMC vulnerability to the WannyCry virus
This vulnerability is exploiting CVE-2017-0147 (aka MS-017-010) which allows remote attackers to obtain sensitive information from process memory on SMBv1 server via a crafted packet.
Unity, VNXe2 (KH+ 3200), VNXe1
This vulnerability is not exploitable in the Unity, VNXe2 (KH+ 3200), VNXe1. The SMB code on these platforms is proprietary and not vulnerable to this attack.
VNXe2 (1600 bearcat)
This is block only storage, not vulnerable to this attack.
VNX2, VNX1
This vulnerability is not exploitable. The SMBv1 protocol is blocked and not accessible from external communications in the VNX Block system, SMB code on File/Unified is proprietary and not vulnerable to this attack.
Resolution
What if I still need to disable SMBv1 to conform to my internal security standards?
VNX systems are not susceptible to WannaCry because they target Microsoft's SMBv1 server specifically. Dell EMC implementations of SMBv1 are not affected. If you want to prevent your Unified systems from creating
user channels on SMBv1, you can set these parameters.
Please note these params are only available on VNX OE versions 7.1.77 and 8.1.9.155 and Unity OE version 4.1.1 and higher.
1. VNX and older products: From CS using the user nasadmin ssh session:
server_param ALL f cifs m smb1.disabled -v 1
2. Unity (versions 4.1.1 and higehr): root shell is required to set the parameter. Please contact Dell EMC Technical Support or your Authorized Service Partner and quote this Knowledgebase ID.
PLEASE NOTE: THIS ONLY PREVENTS THE DATA MOVER FROM CREATING USER CHANNELS USING SMBv1. The Data Mover will still use SMBv1 to establish secure channel communications with the Domain Controller. If you want to completely stop using SMBv1, see the next section entitled, "What if I want to disable SMBv1 on the Domain Controllers."
What if I want to disable SMBv1 on the Domain Controllers?
Please do not disable SMBv1 on the Domain Controllers unless you are running a supported version of VNX OE or Unity OE:
- VNX2 Systems: 8.1.9.211
- Unity Systems: 4.1.1
- VNX1 Systems: 7.1.80.710
On all versions prior to the ones listed, SMBv1 is required in order to perform secure channel setup with the Domain Controller. Disabling SMBv1 at the Domain Controller level will cause an outage as your CIFS servers will no longer be able to negotiate secure channels with the DCs.
What if I want to block files with certain extensions from being written to the Data Mover?
You can use EMC File Extension Filtering to block these file extensions from being written:
*.wnry, *.wcry, *.wncry, and *.wncryt
Please note we can stop these extensions from being written, but this may not completely stop the virus. Additionally, file filtering does not stop the renaming of files to these extensions, just the writing of new files with these extensions.
Please refer to the
documentation which covers EMC File Extension Filtering for more information.
What happens if I find WannaCry files written on my VNX shares? Does this mean my VNX has been infected?
The VNX and Unity systems are not susceptible to the WannaCry virus. It is possible, however, for WannaCry to infect client machines. If these client machines have mapped drives and have the proper write permissions, they can encrypt files on the NAS shares.
Please take precautions and checkpoint your filesystems. Please refer to the documentation pages for your systems to learn how to enable checkpoints for your NAS filesystems.
Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Hybrid, Dell EMC UnityVSA (Virtual Storage Appliance), VNX1 Series, VNX2 Series