Subscribe
Accepted Solution

NetAPP Ontap and Bash Shellshock

I have not been able to find any info on NetAPP products and the "new" Linux vulnerability Shellshock.

 

Any info would be appreciated in regards to NetAPP products.

 

Thank you,

 

Re: NetAPP Ontap and Bash Shellshock

[ Edited ]

Hi Frank,

 

I found some links that I believe you would find useful.

 

 

I hope this helps you.

 

Thanks for using the NetApp Community!

 

-Alissa

Alissa
NetApp Community & Influence Marketing Manager

Re: NetAPP Ontap and Bash Shellshock

[ Edited ]

There are now scanners available to scan your network to see if any of your systems are vulnerable to the ShellShock Bash Bug.

 

Regards,

 

Nicholas Lee Fagan

https://twitter.com/OrlandoPCRepair

Re: NetAPP Ontap and Bash Shellshock

That did, thank you so much for your help.

and I signed up.

Re: NetAPP Ontap and Bash Shellshock

That advisory doesn't answer all of our questions.  It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?

 

Please update the advisory ASAP.  This is critical with customers who have confidential data stored on NetApp filers.  We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.

 

Thank you for your help.

Re: NetAPP Ontap and Bash Shellshock

Folks, you have to remember that when you access a FAS system via SSH you are connecting into ONTAP and not into a BASH shell. In order to get to the BASH shell a special account has to be 1) unlocked, 2) assigned a password, 3) enter a command to get to the login prompt and 4) then authenticated. I'm not saying that this puts the system in the clear; just saying that it takes some effort to get to the BASH shell of ONTAP.

Re: NetAPP Ontap and Bash Shellshock

NetApp needs to post that in their official advisory, then.  As far as I know the Data ONTAP web interface could be vulnerable with unauthenticated users.  Other vendors have posted what the attack vector is. 

 

All I want is something similar to:

 

Conditions: A user must first successfully log in and authenticate via SSH to trigger this vulnerability.

 

Its been a week.  Tell us the attack vectors already so that we can tell OUR customers if their data is safe.  This is getting ridiculous.

Re: NetAPP Ontap and Bash Shellshock

This was posted around it and is the official location to go for updates: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016.  It was posted in an earlier response, not sure if you saw it.

Re: NetAPP Ontap and Bash Shellshock

I've seen it multiple times.  It does not answer the question of the attack vector.

Re: NetAPP Ontap and Bash Shellshock

AFAIK, and I've been working with and deploying NetApp ONTAP solutions for a long time, there is no direct (remote) SSH access to the BASH shell.  As I mentioned earlier, you have to activiate an account to do so.  Could it be possible to do this via an API call or another method, I don't know but in order to do so, there has to be some type of authenticated access to the system in the first place.  This means a breach in a firewall for outside access, or, if within the firewall, still authenticated access to the system.  If bad security practices are being followed then, regardless of any programatic vulnerabilities, a system is exposed.