ONTAP Discussions

NetApp Bash Shellshock - How is it exploitable?


The official advisory doesn't answer all of our questions. It is unclear if our NetApp devices are remotely exploitable without authentication, OR is it only exploitable if you are able to SSH into the appliances?


Please update the advisory ASAP. This is critical with customers who have confidential data stored on NetApp filers. We already have a support case open and have escalated numerous times, but cannot seem to get to anyone who can provide a definitive answer.


Thank you for your help.



@pmdfnetapp for further information, please contact NetApp Support


1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)

+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)


We have already contacted NetApp support, and have escalated multiple times.  We cannot seem to get to someone who can provide an answer.  Other vendors have specified if it is only exploitable by using something like ssh and authenticating prior to being able to exploit the vulnerability.


Currently attackers are exploiting the Bash vulnerability via http headers. They can execute their bash script this way without authorized access by placing it in a HTTP header. Any vulnerable system will execute the Bash script in the HTTP header. There are already worms programmed to scan for port 80 & place their exploit code in a HTTP header. Attackers that find vulnerable web servers (any system running bash up to 4.3) can use this method to execute ANY system-level command accessible via Bash remotely.


So these are the questions you should be asking yourself first. Is port 80 open? Is it internet facing? No? Then you're system is safe. Patch your internet facing systems immediately.




Nicholas Lee Fagan


Our NetApps are not Internet facing.  Just because they are not Internet facing, that does NOT mean that they are "safe".  If that was the case, then nobody would ever patch their internal systems.  That will not pass any compliance such as PCI, HIPPA, etc.


I understand that attackers are able to compromise systems over the web, but just because a system has bash on it, that doesn't mean that it can be compromised that way.  We have other systems similar to NetApp that have the vulnerable version of Bash, but it is only exploitable if you first have credentials and are able to login to the system via SSH.


Are NetApps vulnerable via their web interface either with or without being authenticated is my question.  Our clients are asking us if  THEIR data is safe, and we cannot answer them at the moment.  If it is only exploitable via SSH after authenticating as an administrator, then the risk is extremely low.  If the NetApps can be exploited via http or https without authenticating a user, then the risk is extremely high.  Are they vulnerable by saving a specially crafted file to a NetApp CIFS share?  What about iSCSI? 


I would just like an official answer to how the Netapps are vulnerable.


Thank you for your help.


This is not an official response this is my understanding.


Data OnTap is based on FreeBSD & bash is not a native shell for BSD. This is why you don't see an advisory for the Shellshock Bash Bug at https://www.freebsd.org/security/advisories.html . All users/scripts use ngsh shell or csh shell. They do NOT invoke bash. Therefore you would need authenticated access to the controller which would defeat the purpose of using the vulnerability. Engineering is however very concerned about this issue, and is exploring if there is a potential for this to be exploited remotely via new undiscovered attack vectors. The known HTTP header attack does not work on NetApp controllers because PHP does not invoke bash.


My only concern is with clients that have access to the storage controller that are affected by the bash bug & internet facing. With the bash bug they could force the client to download/execute a backdoor. Say that client has a NFS mount, etc. to the filer. Now the attacker has access to the same data the client does.


Any questions?




Nicholas Lee Fagan

Thank you for the additional details. It works be helpful if the official response could be updated to say that there are no known unauthenticated attack vectors at this time or something similar

I'm sure we aren't the only customer with these questions.

Them you again.

Can't edit on my mobile device. 🙂

Second sentence should say "would be helpful" and the last should say thank you. 🙂