[Security] Disable and remove SMB1
Description
VLC on android has SMB1 enabled by default and prefers it by default. SMB1 has been deprecated for years because it is horribly unsafe and insecure. I suggest to disable and remove support for SMB1.
Expected behavior
VLC should at least disable SMB1 by default and only enable it on explicit user request. It would be even nicer if VLC would not ship any code for SMB1 at all any more.
Actual behavior
SMB 1 is enabled by default and preferred by default.
Steps to reproduce
- Open VLC on Android
- Open Settings
- go to Settings → Advanced and find Prefer SMB 1
Context
App version
VLC for Android 3.4.3 (Revision 7e6165d1) installed from F-Droid
Android version
Android 11
Device model
Doesn't matter
App mode
Smartphone
Additional info
See this recent security issue for example: https://cybersrcc.com/2022/02/14/samba-bug-allows-remote-attackers-to-execute-arbitrary-code-as-root/ Also, SMB was highly discouraged even in 2016: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 And the internet is full of CVEs related to SMB1.
Samba, the Linux SMB implementation, disables SMB1 by default since 2019 and plans on removing SMB1. According to Wikipedia,
Microsoft has marked SMB1 as deprecated in June 2013.[23] Windows Server 2016 and Windows 10 version 1709 do not have SMB1 installed by default.[24]
So most of the server software running out there should not even be able to speak SMB1 any more. Disabling it by default may even increase compatibility with SMB servers.