Network and Storage Protocols

Vulunerability of Null Session Share no password

tatlee
5,839 Views

Hi all,

The customer is doing the scanning on the filers, and found the vulunerability on few filers:

Null sessio share No password,

Description: A NetBIOS share resource allows connections without a password.

Any idea what this is about? I compared the options settings with other good filers and didn't find any mismatch.

Thanks!

Terrence

9 REPLIES 9

adamfox
5,839 Views

In general, scanning filers with security programs made for Windows is not a good idea.  You are bound to get lots of false positives that have no real security impact on the filer because it is making false assumptions.  As far as I know there are no scanners certified for Data ONTAP.  You can spend months trying to track down a non-issue if you keep going down this path.

Just a word of caution.

tatlee
5,839 Views

Hi Adam,

Thanks for your info. But this is the customer's policy to have the filers to be scanned.

Regards,

Terrence Lee

NetApp Global Services

NetApp

852.3605.7700 Main

852.9181.8824 Mobile Phone

terrence.lee@netapp.com

Learn how: netapp.com/guarantee

amiller_1
5,839 Views

Hopefully explaining that it doesn't have Windows security vulnerabilities will help a bit....

eric_barlier
5,839 Views

Hi Terrence,

Im with Adam F. on this one, this is not a valid way of testing.. Unfortunately it does not help you nor your customer.

After this testing have customer actually tested his findings to see that the share can be accessed without passwd? Also, can you maybe ask this customer

to scan shares that are not on the controller, say a user sharing his folder to someone else and see if he gets the same issues? in the end of the

day CIFS is CIFS and where the share reside could be irrelevant for the customer. If that was the case customer would start to focus on CIFS

rather than controller.

Cheers,

Eric

adamfox
5,839 Views

I concur here as well.  It's not reasonable to expect NetApp to try and justify why someone else's product (which we do not support and knows nothing about Data ONTAP)  thinks we have a security problem.  If the customer can demonstrate a vulnerability then, of course, we are very interested and will give that burt a very high priority.  But we cannot be in the business of proving a negative based on software that treats us like a Windows server and has no knowledge of Data ONTAP.

RichardSopp
5,839 Views

Why so defensive NetApp?  Wouldn't it be a better approach to partner with one or two of the major scanner vendors and make their products ONTAP friendly?

I don't think NetApp should provide its own tool because that's definitely a case of the fox guarding the hen house.

adamfox
5,839 Views

Keep in mind, I don't speak for NetApp, I'm just a guy who works here.  But I've run into this issue many times and have spent way too many cycles chasing down problems that don't exist.

I agree it would be good to have scanners out there who are ONTAP-aware.  And I also agree that we shouldn't be writing scanners of our own stuff.

scottgelb
5,839 Views

This doesn't address the scanner issue but for anyone who just wants to read about vulnerabilities with CIFS (lack of in this case) in ONTAP, the Matasano independent security analysis is a good white paper.  The paper is detailed for MultiStore but covers all network protocols.  NetApp MultiStore®: An Independent Security Analysis by Matasano Security.  It is available on the Field Portal (search "Matasano").

eric_barlier
5,839 Views

Hi Richard,

I m not NetApp either, I dont even work for NetApp, but I reckon you know that as we used to attend the same weekly conf. calls in your org. in the past ;-).

As back then I am a contractor now. Im down under.

I reckon NetApp could possibly do what you say. However that would be turning matters upside down in my opinion. I think scanner vendors should

approach storage vendors. After all its improving on their product, not Ontap.

On a personal note: my experience back in the days I worked for NetApp in tech support: We did get a few guys logging cases claiming

Ontap was not secure. Most of the time it was some sysadmin downloading a free tool (lets save money, we dont care if its a good tool, its its supported, etc)

running it left and right and then logging cases. This was fairly common. It was never done by a professional IT security dept. I think they know better..

My two pennies,

Eric

Message was edited by: eric barlier

Public