NetApp Default Privileged Account Vulnerability [CVE-2019-5490]

CVE Number – CVE-2019-5490

Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution.

Exploitation of this vulnerability can result in unauthorized arbitrary command execution.

Affected Products

• Clustered Data ONTAP
• Data ONTAP operating in 7-Mode
• Service Processor

Full list of affected versions can be found here.

Workarounds

The Service Processor can be configured to restrict remote access to only specified administration hosts:
Data ONTAP operating in 7-Mode 8.2: https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-348845ED-D2F3-4B52-AFD1-175CFBCF5D1D.html
clustered Data ONTAP 8.2: https://library.netapp.com/ecmdocs/ECMP1196798/html/GUID-348845ED-D2F3-4B52-AFD1-175CFBCF5D1D.html
clustered Data ONTAP 8.3: https://library.netapp.com/ecmdocs/ECMP1610202/html/system/service-processor/ssh/add-allowed-addresses.html
ONTAP 9.x: https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-sag/GUID-6FE269CD-335F-47C0-B9F7-6EF6E2546E52.html

The Service Processor IP address can be removed to prevent all remote access:
Data ONTAP operating in 7-Mode 8.2: https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-F929FBC1-065D-422B-9717-A21559C62ADE.html
clustered Data ONTAP 8.2: https://library.netapp.com/ecmdocs/ECMP1366832/html/system/node/service-processor/network/modify.html
clustered Data ONTAP 8.3: https://library.netapp.com/ecmdocs/ECMP1610202/html/system/service-processor/network/modify.html
ONTAP 9.x:  https://docs.netapp.com/ontap-9/topic/com.netapp.doc.exp-expand/GUID-C3DF1538-77D9-499D-84E8-90021E184F9A.html 

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section – https://mysupport.netapp.com/NOW/cgi-bin/software/