topic Re: NetAPP Ontap and Bash Shellshock in ONTAP Discussions

NetAPP Ontap and Bash Shellshock

FRANK_KEOUGH — Thu, 05 Jun 2025 05:28:15 GMT

I have not been able to find any info on NetAPP products and the "new" Linux vulnerability Shellshock.

Any info would be appreciated in regards to NetAPP products.

Thank you,

Re: NetAPP Ontap and Bash Shellshock

alissa — Sun, 28 Sep 2014 21:26:23 GMT

Hi Frank,

I found some links that I believe you would find useful.

Here is the direct link to the information: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016
Here is the actual list of vulnerabilities: http://mysupport.netapp.com/NOW/knowledge/docs/olio/scanner_results/
Here you'll find the process to stay informed:http://www.netapp.com/us/legal/vulnerability-handling-response-policy.aspx

I hope this helps you.

Thanks for using the NetApp Community!

-Alissa

Re: NetAPP Ontap and Bash Shellshock

nicholaf — Sun, 28 Sep 2014 04:45:53 GMT

There are now scanners available to scan your network to see if any of your systems are vulnerable to the ShellShock Bash Bug.

Regards,

Nicholas Lee Fagan

https://twitter.com/OrlandoPCRepair

Re: NetAPP Ontap and Bash Shellshock

FRANK_KEOUGH — Sun, 28 Sep 2014 19:07:14 GMT

That did, thank you so much for your help.

and I signed up.

Re: NetAPP Ontap and Bash Shellshock

pmdfnetapp — Mon, 29 Sep 2014 19:10:38 GMT

That advisory doesn't answer all of our questions. It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?

Please update the advisory ASAP. This is critical with customers who have confidential data stored on NetApp filers. We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.

Thank you for your help.

Re: NetAPP Ontap and Bash Shellshock

Andre_Clark — Thu, 02 Oct 2014 13:20:09 GMT

Folks, you have to remember that when you access a FAS system via SSH you are connecting into ONTAP and not into a BASH shell. In order to get to the BASH shell a special account has to be 1) unlocked, 2) assigned a password, 3) enter a command to get to the login prompt and 4) then authenticated. I'm not saying that this puts the system in the clear; just saying that it takes some effort to get to the BASH shell of ONTAP.

Re: NetAPP Ontap and Bash Shellshock

pmdfnetapp — Thu, 02 Oct 2014 13:26:40 GMT

NetApp needs to post that in their official advisory, then. As far as I know the Data ONTAP web interface could be vulnerable with unauthenticated users. Other vendors have posted what the attack vector is.

All I want is something similar to:

Conditions: A user must first successfully log in and authenticate via SSH to trigger this vulnerability.

Its been a week. Tell us the attack vectors already so that we can tell OUR customers if their data is safe. This is getting ridiculous.

Re: NetAPP Ontap and Bash Shellshock

Andre_Clark — Thu, 02 Oct 2014 13:31:43 GMT

This was posted around it and is the official location to go for updates: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016. It was posted in an earlier response, not sure if you saw it.

Re: NetAPP Ontap and Bash Shellshock

pmdfnetapp — Thu, 02 Oct 2014 13:39:06 GMT

I've seen it multiple times. It does not answer the question of the attack vector.

Re: NetAPP Ontap and Bash Shellshock

Andre_Clark — Thu, 02 Oct 2014 13:48:55 GMT

AFAIK, and I've been working with and deploying NetApp ONTAP solutions for a long time, there is no direct (remote) SSH access to the BASH shell. As I mentioned earlier, you have to activiate an account to do so. Could it be possible to do this via an API call or another method, I don't know but in order to do so, there has to be some type of authenticated access to the system in the first place. This means a breach in a firewall for outside access, or, if within the firewall, still authenticated access to the system. If bad security practices are being followed then, regardless of any programatic vulnerabilities, a system is exposed.

Re: NetAPP Ontap and Bash Shellshock

ekashpureff — Thu, 02 Oct 2014 13:58:53 GMT

PMDF -

The full disclosure referenced above by NetApp is comprehensive.

Review of the NIST and CERT docs makes the various attack vectors clear.

They are too numerous to be spelled out in laymans terms in a more simplified manner.

What were you looking for - A comprehensive list of step by step instructions on 'how to break a NetApp' ?

I'd guess you're not going to be getting from here on the communities ...

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff, Sr.
Independent NetApp Consultant http://www.linkedin.com/in/eugenekashpureff
Senior NetApp Instructor, IT Learning Solutions http://sg.itls.asia/netapp
(P.S. I appreciate 'kudos' on any helpful posts.)

Re: NetAPP Ontap and Bash Shellshock

pmdfnetapp — Thu, 02 Oct 2014 17:01:33 GMT

It is not comprehensive. I understand the attack vectors for the bash vulnerability as a whole. I do not know the attack vectors that could impact a NetApp filer running ONTAP.

I have a support case open as well. I just posted here to maybe get more visibility because the support case isn't helping. There are other vendors who use bash, but they have stated that their system is only vulnerable if you SSH into a device with credentials already, so the risk is low in that case becuase you would already need to have administrative credentials to login. I don't know the risk with our NetApps. Are they vulnerable via the web interface without logging in? Is there another vector that would work against them that wouldn't require authenticaiton?

I'm not trying to figure out how to "break a netapp". I'm trying to verify that our data, and our clients data is safe and not open to an unauthenticated attack. We have clients of ours asking us if their data is safe, and we cannot answer them because NetApp won't answer us.