Re: NetApp Filer software versions 5.x: potential hardware killer

[quinlan () TRANSMETA COM (Daniel Quinlan)]

Jason Downs <downsj () DOWNSJ COM> writes:

> If this host is compromised it's obviously bad news for the filer.
> But now, apparently new with the 5.x revisions of the filer operating
> system, a malicious individual can likely destroy the disk drive
> hardware itself.

How is this different from any host (Unix, Windows, DOS, network
equipment) that has one or more components with upgradeable firmware?

> It is not known if any sort of sanity check is done on the contents of
> the firmware files; it's likely there is none, considering the type of
> code they contain.

That's an interesting logical leap.

I asked NetApp quite a few questions about this before I upgraded our F630
FC disk firmware -- according to them, it's nearly impossible to turn
disks into expensive bricks.  If I recall correctly, the procedure goes
something like this: after the new firmware has completed uploading, the
checksum is verified and/or it is tested in other ways (there is room for
both the old and new copies, I guess), and only then will the disk switch
over to the new firmware using some atomic operation.

So it may be true that someone could construct an evil firmware that also
passes muster (it may be difficult to do this -- I don't know), and upon
gaining root access to your filer, instead of zeroing all of your disks,
they turn your disks into bricks.  If they can't construct an evil
firmware, I guess they could downgrade your firmware version at the very
least.

To be honest, I don't know how irrecoverable today's disks are when a bad
firmware is uploaded.

I suppose that if the prospect of having all your disks zeroed wasn't
enough for you to secure your filer(s), maybe this would be enough to
scare you.  However, I'm not sure why you'd keep your data on a $100,000
RAID if that was the case.

- Dan