CVE Number – CVE-2019-5490
Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution.
Exploitation of this vulnerability can result in unauthorized arbitrary command execution.
- Clustered Data ONTAP
- Data ONTAP operating in 7-Mode
- Service Processor
Full list of affected versions can be found here.
The Service Processor can be configured to restrict remote access to only specified administration hosts:
Data ONTAP operating in 7-Mode 8.2: https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-348845ED-D2F3-4B52-AFD1-175CFBCF5D1D.html
clustered Data ONTAP 8.2: https://library.netapp.com/ecmdocs/ECMP1196798/html/GUID-348845ED-D2F3-4B52-AFD1-175CFBCF5D1D.html
clustered Data ONTAP 8.3: https://library.netapp.com/ecmdocs/ECMP1610202/html/system/service-processor/ssh/add-allowed-addresses.html
ONTAP 9.x: https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-sag/GUID-6FE269CD-335F-47C0-B9F7-6EF6E2546E52.html
The Service Processor IP address can be removed to prevent all remote access:
Data ONTAP operating in 7-Mode 8.2: https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-F929FBC1-065D-422B-9717-A21559C62ADE.html
clustered Data ONTAP 8.2: https://library.netapp.com/ecmdocs/ECMP1366832/html/system/node/service-processor/network/modify.html
clustered Data ONTAP 8.3: https://library.netapp.com/ecmdocs/ECMP1610202/html/system/service-processor/network/modify.html
ONTAP 9.x: https://docs.netapp.com/ontap-9/topic/com.netapp.doc.exp-expand/GUID-C3DF1538-77D9-499D-84E8-90021E184F9A.html
Obtaining Software Fixes
Software fixes will be made available through the NetApp Support website in the Software Download section – https://mysupport.netapp.com/NOW/cgi-bin/software/
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.