Summary

Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the Impact section below may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY.

Impact

Exploitation of this vulnerability can result in unauthorized arbitrary command execution.

First Fixed in Releases:

SP Firmware Storage Systems ONTAP 9.5 ONTAP 9.4 ONTAP 9.3 ONTAP 9.2 ONTAP 9.1 ONTAP 9.0 ONTAP 8.3 ONTAP 8.2 SP 5.x AFF A300, AFF A200, FAS8200, FAS2650, FAS2620 5.5P1 5.5P1 5.5P1 5.2P2 5.1P4 N/A N/A N/A SP 4.x AFF A700, FAS9000 4.5P1 4.5P1 4.5P1 4.2P3 4.1P7 N/A N/A N/A SP 3.x AFF8080, AFF8060, AFF8040, AFF8020 3.7P1 3.7P1 3.7P1 3.4P3 3.3P5 3.2P1 3.1.2P3 N/A FAS8080, FAS8060, FAS8040, FAS8020 3.7P1 3.7P1 3.7P1 3.4P3 3.3P5 3.2P1 3.1.2P3 3.0.4P1* SP 2.x FAS2554, FAS2552, FAS2520 (ONTAP 8.2.2 and later) 2.8P1 2.8P1 2.8P1 2.5P1 2.4.1P2 2.4P1 2.3.2P4 2.2.5P1 FAS2240-4, FAS2240-2, FAS2220 (ONTAP 9.1 is the last supported release) N/A N/A N/A N/A 2.4.1P2 2.4P1 2.3.2P4 2.2.5P1

N/A = "Not Applicable" (i.e. no fix required)

MD5 checksums for Service Processor Security Patch Files

Unaffected platforms/firmware versions:

The FAS/AFF Baseboard Management Controller (BMC) , Service Processor 1.x firmware versions, ONTAP Select and Cloud Volumes ONTAP are not affected by this vulnerability – this includes the following platforms: AFF A220, FAS2720, FAS2750, AFF A800, AFF A700s, FAS6290, FAS6280, FAS6250, FAS6240, FAS6220, FAS6210, FAS3270, FAS3250, FAS3240, FAS3220, FAS3210 and V-Series variants

*Although NetApp has found no evidence of exposure in the 3.0.x Service Processor firmware, a patch has been made available out of an abundance of caution.

Once patched Service Processor firmware has been applied to a controller there is no need to update ONTAP.

While the Service Processor firmware update requires a reboot of the Service Processor, the process is non-disruptive to ONTAP.

Certain versions of clustered Data ONTAP and Data ONTAP operating in 7-Mode included affected versions of the Service Processor firmware. P-releases that include the patched Service Processor firmware are available for ONTAP 9.x versions under Full Support. There are no plans to create a Data ONTAP operating in 7-Mode 8.2.5 P-release that includes the patched Service Processor firmware - use the appropriate Service Processor patch from the System Firmware + Diagnostics Download page for this version.

Vulnerability Scoring Details

CVE Score Vector CVE-2019-5490 9.8 (CRITICAL) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation and Public Announcements

NetApp is not aware of public discussion regarding this vulnerability.

References