NetApp Filer software versions 5.x: potential hardware killer

[downsj () DOWNSJ COM (Jason Downs)]

I was going through the documentation for version 5.2.1 (the latest)
of the Network Appliance Filer operating system when I stumbled upon
this little gem:

"Use the disk_fw_update command to update out-of-date firmware on all disks or
a specified disk on a filer. Each filer is shipped with a /etc/disk_fw
directory that contains the latest firmware revisions."

[...]

"In the /etc/disk_fw directory, the firmware file name is in the form of
product_ID.revision.LOD. For example, if the firmware file is for Seagate
disks with product ID ST19171FC and the firmware revision is FB37, the file
name is ST19171FC.FB37.LOD. The revision in the file name is the number
against which the filer compares each disk's existing firmware revision."

[...]

"Before Data ONTAP 5.2, the disk_fw_update command copied firmware files from
the /etc directory. In the /etc directory, the name for the firmware file
was in the form of product_ID.LOD. The revision number was not included in the
file name. Data ONTAP 5.2 continues to support firmware files in the
/etc directory for backward compatibility. That is, if you obtain a disk
firmware file and store it in the /etc directory, you can use the
disk_fw_update command to copy that firmware file to disks, unless there is
also a firmware file for the same product ID in the /etc/disk_fw directory.
The files in the /etc/disk_fw directory take precedence over the files in the
/etc directory."

[...]


Filer's typically have an "admin host" which can mount and read/write to the
filer root directory.  Without it, it's impossible to do any sort of system
maintenance on the filer.

If this host is compromised it's obviously bad news for the filer.  But now,
apparently new with the 5.x revisions of the filer operating system, a
malicious individual can likely destroy the disk drive hardware itself.
It is not known if any sort of sanity check is done on the contents of the
firmware files; it's likely there is none, considering the type of code they
contain.

Of course, it is trivial to gain command line access to a filer once the
admin host is compromised.  They use what amounts to /etc/hosts.equiv for rsh
access.

It has always been important to make sure the "admin host" of a filer is
secure.  Now it seems Network Appliance has just raised the stakes; not
only can you lose your data, but you can also potentially lose hundreds
of thousands of dollars worth of hardware.

--
Jason Downs
downsj () downsj com

               Little.  Yellow.  Secure.  http://www.openbsd.org/

Sending unsolicited commercial email to this address may be a violation of
the Washington State Consumer Protection Act, chapter 19.86 RCW.