PSIRT Advisory

FortiOS by default disables SMBv1 support


Server Message Block (SMB) 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due its potential downgrade, man-in-the-middle, collision and pre-image attack vulnerabilities.

The support of SMBv1 is now disabled in FortiOS SSL VPN and DLP fingerprint features and no other features support SMBv1 protocol in FortiOS.

For SSL VPN, a new CLI option is introduced and is disabled by default:

config vpn ssl web
edit portal {name}
set smb-ntlmv1-auth {enable|*disable}

To enable SMBv1, an administrator would need to set it to "enable" manually.

SMBv1 is permanently disabled for the DLP fingerprint feature.


Escalation of Privilege

Affected Products

FortiOS version 5.6.0 and below.


Upgrade to FortiOS version 5.6.1