That advisory doesn't answer all of our questions. It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?
Please update the advisory ASAP. This is critical with customers who have confidential data stored on NetApp filers. We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.
Folks, you have to remember that when you access a FAS system via SSH you are connecting into ONTAP and not into a BASH shell. In order to get to the BASH shell a special account has to be 1) unlocked, 2) assigned a password, 3) enter a command to get to the login prompt and 4) then authenticated. I'm not saying that this puts the system in the clear; just saying that it takes some effort to get to the BASH shell of ONTAP.
NetApp needs to post that in their official advisory, then. As far as I know the Data ONTAP web interface could be vulnerable with unauthenticated users. Other vendors have posted what the attack vector is.
All I want is something similar to:
Conditions: A user must first successfully log in and authenticate via SSH to trigger this vulnerability.
Its been a week. Tell us the attack vectors already so that we can tell OUR customers if their data is safe. This is getting ridiculous.
AFAIK, and I've been working with and deploying NetApp ONTAP solutions for a long time, there is no direct (remote) SSH access to the BASH shell. As I mentioned earlier, you have to activiate an account to do so. Could it be possible to do this via an API call or another method, I don't know but in order to do so, there has to be some type of authenticated access to the system in the first place. This means a breach in a firewall for outside access, or, if within the firewall, still authenticated access to the system. If bad security practices are being followed then, regardless of any programatic vulnerabilities, a system is exposed.
It is not comprehensive. I understand the attack vectors for the bash vulnerability as a whole. I do not know the attack vectors that could impact a NetApp filer running ONTAP.
I have a support case open as well. I just posted here to maybe get more visibility because the support case isn't helping. There are other vendors who use bash, but they have stated that their system is only vulnerable if you SSH into a device with credentials already, so the risk is low in that case becuase you would already need to have administrative credentials to login. I don't know the risk with our NetApps. Are they vulnerable via the web interface without logging in? Is there another vector that would work against them that wouldn't require authenticaiton?
I'm not trying to figure out how to "break a netapp". I'm trying to verify that our data, and our clients data is safe and not open to an unauthenticated attack. We have clients of ours asking us if their data is safe, and we cannot answer them because NetApp won't answer us.