2014-09-27 09:59 AM
I have not been able to find any info on NetAPP products and the "new" Linux vulnerability Shellshock.
Any info would be appreciated in regards to NetAPP products.
Solved! SEE THE SOLUTION
2014-09-27 10:29 AM - last edited on 2014-09-28 02:26 PM by peluso
I found some links that I believe you would find useful.
I hope this helps you.
Thanks for using the NetApp Community!
2014-09-27 04:33 PM - last edited on 2014-09-27 09:45 PM by allison
There are now scanners available to scan your network to see if any of your systems are vulnerable to the ShellShock Bash Bug.
Nicholas Lee Fagan
2014-09-29 12:10 PM
That advisory doesn't answer all of our questions. It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?
Please update the advisory ASAP. This is critical with customers who have confidential data stored on NetApp filers. We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.
Thank you for your help.
2014-10-02 06:20 AM
Folks, you have to remember that when you access a FAS system via SSH you are connecting into ONTAP and not into a BASH shell. In order to get to the BASH shell a special account has to be 1) unlocked, 2) assigned a password, 3) enter a command to get to the login prompt and 4) then authenticated. I'm not saying that this puts the system in the clear; just saying that it takes some effort to get to the BASH shell of ONTAP.
2014-10-02 06:26 AM
NetApp needs to post that in their official advisory, then. As far as I know the Data ONTAP web interface could be vulnerable with unauthenticated users. Other vendors have posted what the attack vector is.
All I want is something similar to:
Conditions: A user must first successfully log in and authenticate via SSH to trigger this vulnerability.
Its been a week. Tell us the attack vectors already so that we can tell OUR customers if their data is safe. This is getting ridiculous.
2014-10-02 06:31 AM
This was posted around it and is the official location to go for updates: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016. It was posted in an earlier response, not sure if you saw it.
2014-10-02 06:48 AM
AFAIK, and I've been working with and deploying NetApp ONTAP solutions for a long time, there is no direct (remote) SSH access to the BASH shell. As I mentioned earlier, you have to activiate an account to do so. Could it be possible to do this via an API call or another method, I don't know but in order to do so, there has to be some type of authenticated access to the system in the first place. This means a breach in a firewall for outside access, or, if within the firewall, still authenticated access to the system. If bad security practices are being followed then, regardless of any programatic vulnerabilities, a system is exposed.