ONTAP Discussions

NetAPP Ontap and Bash Shellshock

FRANK_KEOUGH
12,387 Views

I have not been able to find any info on NetAPP products and the "new" Linux vulnerability Shellshock.

 

Any info would be appreciated in regards to NetAPP products.

 

Thank you,

 

1 ACCEPTED SOLUTION

alissa
12,379 Views

Hi Frank,

 

I found some links that I believe you would find useful.

 

 

I hope this helps you.

 

Thanks for using the NetApp Community!

 

-Alissa

View solution in original post

11 REPLIES 11

alissa
12,380 Views

Hi Frank,

 

I found some links that I believe you would find useful.

 

 

I hope this helps you.

 

Thanks for using the NetApp Community!

 

-Alissa

FRANK_KEOUGH
12,221 Views

That did, thank you so much for your help.

and I signed up.

pmdfnetapp
11,488 Views

That advisory doesn't answer all of our questions.  It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?

 

Please update the advisory ASAP.  This is critical with customers who have confidential data stored on NetApp filers.  We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.

 

Thank you for your help.

Andre_Clark
10,090 Views

Folks, you have to remember that when you access a FAS system via SSH you are connecting into ONTAP and not into a BASH shell. In order to get to the BASH shell a special account has to be 1) unlocked, 2) assigned a password, 3) enter a command to get to the login prompt and 4) then authenticated. I'm not saying that this puts the system in the clear; just saying that it takes some effort to get to the BASH shell of ONTAP.

pmdfnetapp
10,081 Views

NetApp needs to post that in their official advisory, then.  As far as I know the Data ONTAP web interface could be vulnerable with unauthenticated users.  Other vendors have posted what the attack vector is. 

 

All I want is something similar to:

 

Conditions: A user must first successfully log in and authenticate via SSH to trigger this vulnerability.

 

Its been a week.  Tell us the attack vectors already so that we can tell OUR customers if their data is safe.  This is getting ridiculous.

Andre_Clark
10,069 Views

This was posted around it and is the official location to go for updates: https://library.netapp.com/ecm/ecm_get_file/ECMP1655016.  It was posted in an earlier response, not sure if you saw it.

pmdfnetapp
10,060 Views

I've seen it multiple times.  It does not answer the question of the attack vector.

Andre_Clark
10,044 Views

AFAIK, and I've been working with and deploying NetApp ONTAP solutions for a long time, there is no direct (remote) SSH access to the BASH shell.  As I mentioned earlier, you have to activiate an account to do so.  Could it be possible to do this via an API call or another method, I don't know but in order to do so, there has to be some type of authenticated access to the system in the first place.  This means a breach in a firewall for outside access, or, if within the firewall, still authenticated access to the system.  If bad security practices are being followed then, regardless of any programatic vulnerabilities, a system is exposed.

ekashpureff
7,179 Views

 

PMDF -

 

The full disclosure referenced above by NetApp is comprehensive.

 

Review of the NIST and CERT docs makes the various attack vectors clear.

They are too numerous to be spelled out in laymans terms in a more simplified manner.

 

What were you looking for - A comprehensive list of step by step instructions on 'how to break a NetApp' ?

I'd guess you're not going to be getting from here on the communities ...


I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff, Sr.
Independent NetApp Consultant http://www.linkedin.com/in/eugenekashpureff
Senior NetApp Instructor, IT Learning Solutions http://sg.itls.asia/netapp
(P.S. I appreciate 'kudos' on any helpful posts.)

pmdfnetapp
7,150 Views

It is not comprehensive.  I understand the attack vectors for the bash vulnerability as a whole.  I do not know the attack vectors that could impact a NetApp filer running ONTAP. 

 

I have a support case open as well.  I just posted here to maybe get more visibility because the support case isn't helping.  There are other vendors who use bash, but they have stated that their system is only vulnerable if you SSH into a device with credentials already, so the risk is low in that case becuase you would already need to have administrative credentials to login.  I don't know the risk with our NetApps.   Are they vulnerable via the web interface without logging in?  Is there another vector that would work against them that wouldn't require authenticaiton?

 

I'm not trying to figure out how to "break a netapp".  I'm trying to verify that our data, and our clients data is safe and not open to an unauthenticated attack.  We have clients of ours asking us if their data is safe, and we cannot answer them because NetApp won't answer us.

nicholaf
12,295 Views

There are now scanners available to scan your network to see if any of your systems are vulnerable to the ShellShock Bash Bug.

 

Regards,

 

Nicholas Lee Fagan

https://twitter.com/OrlandoPCRepair

Public