NetApp Service Processor Security Advisory CVE-2019-5490

Blog NetApp Service Processor Security Advisory CVE-2019-5490

Stay updated with the latest NetApp Service Processor Security Advisory CVE-2019-5490 on the e360 Blog. Discover crucial insights and recommendations to ensure the security of your NetApp Service Processor.

 

On Tuesday March 5th you may have received the email above from NetApp about a Security Vulnerability in the Service Processor (SP). Since we have had several customers ask about this, we wanted to post a response to help you address this email.

The vulnerability is:

https://security.netapp.com/advisory/ntap-20190305-0001/

“Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution.”

What this means is IF an attacker was able to reach the IP of your SP and knew the default account credentials they could execute commands. However, because the SP does not support multi-factor authentication (MFA), I have not yet met a NetApp user that exposes their SP to the internet. So this vulnerability is only a liability if the SP is exposed to the internet or an attacker has already breached your network.

The good news is, there is a very easy non-disruptive patch for this issue. So you could apply it easily to make sure it is never an issue for your organization.

In addition if you have the following controllers you do not need to apply a patch as these are the unaffected platforms/firmware versions:

The FAS/AFF Baseboard Management Controller (BMC), Service Processor 1.x firmware versions, ONTAP Select and Cloud Volumes ONTAP are not affected by this vulnerability – this includes the following platforms: AFF A220, FAS2720, FAS2750, AFF A800, AFF A700s, FAS6290, FAS6280, FAS6250, FAS6240, FAS6220, FAS6210, FAS3270, FAS3250, FAS3240, FAS3220, FAS3210 and V-Series variants

To fix this issue you will need to update your SP to a version that addresses this issue, if you do not have one of the above controllers:

 

 

If you have an affected controller updating it could be fairly simple.

First login to the netapp support site and sign-in at:

https://mysupport.netapp.com/

 

Next, navigate to the download drop down and click ‘System firmware & Diagnostics’:

 

 

Then choose your controller:

 

 

Next, choose ‘Service Processor for installation from the Data ONTAP prompt’ (this was easiest for me):

 

 

Now finally click on the file to download it:

 

 

To use this file to update your SP you will need an HTTP server with wide open permissions. For most customers this can be a really painful process to get through change management and security. Fortunately, I have found an excellent solution. I use Mongoose Pro (there is a free version, but if you like this, please do the right thing and pay for this developers hard work):

https://cesanta.com/binary.html

 

Mongoose is my temporary web server of choice, it requires no install, it runs in your taskbar, when you are done, right click on the icon on your taskbar and choose ‘exit’ and it closes.

Create a folder on the root of your C: drive called ‘http’ place the SP update file you downloaded in this folder along with Mongoose:

 

 

Next, double click Mongoose, right click on the patch filename and choose ‘copy link address’:

 

Then, open a notepad file and paste that link into the file, paste in front of that URL  system node image get -package, and after the URL paste -replace-package true. You should see something like my command:

system node image get -package http://10.10.50.50:8080/306-04426_A0-AFF_FAS80XX_3.7P1_SP_FW.zip -replace-package true

Next, open an SSH session (putty) to your cluster management IP of your NetApp, and elevate your privileges to advanced:

set -priv adv 

Then, confirm with a ‘y’.

Finally, download the SP firmware on the storage controller using the command you have in your notepad file by pasting it into your SSH session (change NODENAME):

system node image get -package http://10.10.50.50:8080/306-04426_A0-AFF_FAS80XX_3.7P1_SP_FW.zip -replace-package true

You should see a response like:

 

Once the file is uploaded your NetApp should automatically update your SP. After an hour reopen your SSH session and run:

system service-processor show -node node1

This will confirm that your SP has been updated.

As you can see this can be done relatively easily, however Entisys360 would be happy to schedule a Webex session with you to assist with this and perform a health check of your NetApp if you prefer, reach out to your Entisys360 representative to schedule assistance.

 

 

Written By: Arthur Jannicelli