24x7x365 e360 Client Technical Support: Call (877) 368-4797 opt 9, or

 

On Tuesday March 5th you may have received the email above from NetApp about a Security Vulnerability in the Service Processor (SP). Since we have had several customers ask about this, we wanted to post a response to help you address this email.

The vulnerability is:

https://security.netapp.com/advisory/ntap-20190305-0001/

“Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution.”

What this means is IF an attacker was able to reach the IP of your SP and knew the default account credentials they could execute commands. However, because the SP does not support multi-factor authentication (MFA), I have not yet met a NetApp user that exposes their SP to the internet. So this vulnerability is only a liability if the SP is exposed to the internet or an attacker has already breached your network.

The good news is, there is a very easy non-disruptive patch for this issue. So you could apply it easily to make sure it is never an issue for your organization.

In addition if you have the following controllers you do not need to apply a patch as these are the unaffected platforms/firmware versions:

The FAS/AFF Baseboard Management Controller (BMC), Service Processor 1.x firmware versions, ONTAP Select and Cloud Volumes ONTAP are not affected by this vulnerability – this includes the following platforms: AFF A220, FAS2720, FAS2750, AFF A800, AFF A700s, FAS6290, FAS6280, FAS6250, FAS6240, FAS6220, FAS6210, FAS3270, FAS3250, FAS3240, FAS3220, FAS3210 and V-Series variants

To fix this issue you will need to update your SP to a version that addresses this issue, if you do not have one of the above controllers:

 

 

If you have an affected controller updating it could be fairly simple.

First login to the netapp support site and sign-in at:

https://mysupport.netapp.com/

 

Next, navigate to the download drop down and click ‘System firmware & Diagnostics’:

 

 

Then choose your controller:

 

 

Next, choose ‘Service Processor for installation from the Data ONTAP prompt’ (this was easiest for me):

 

 

Now finally click on the file to download it:

 

 

To use this file to update your SP you will need an HTTP server with wide open permissions. For most customers this can be a really painful process to get through change management and security. Fortunately, I have found an excellent solution. I use Mongoose Pro (there is a free version, but if you like this, please do the right thing and pay for this developers hard work):

https://cesanta.com/binary.html

 

Mongoose is my temporary web server of choice, it requires no install, it runs in your taskbar, when you are done, right click on the icon on your taskbar and choose ‘exit’ and it closes.

Create a folder on the root of your C: drive called ‘http’ place the SP update file you downloaded in this folder along with Mongoose:

 

 

Next, double click Mongoose, right click on the patch filename and choose ‘copy link address’:

 

Then, open a notepad file and paste that link into the file, paste in front of that URL  system node image get -package, and after the URL paste -replace-package true. You should see something like my command:

system node image get -package http://10.10.50.50:8080/306-04426_A0-AFF_FAS80XX_3.7P1_SP_FW.zip -replace-package true

Next, open an SSH session (putty) to your cluster management IP of your NetApp, and elevate your privileges to advanced:

set -priv adv 

Then, confirm with a ‘y’.

Finally, download the SP firmware on the storage controller using the command you have in your notepad file by pasting it into your SSH session (change NODENAME):

system node image get -package http://10.10.50.50:8080/306-04426_A0-AFF_FAS80XX_3.7P1_SP_FW.zip -replace-package true

You should see a response like:

 

Once the file is uploaded your NetApp should automatically update your SP. After an hour reopen your SSH session and run:

system service-processor show -node node1

This will confirm that your SP has been updated.

As you can see this can be done relatively easily, however Entisys360 would be happy to schedule a Webex session with you to assist with this and perform a health check of your NetApp if you prefer, reach out to your Entisys360 representative to schedule assistance.

 

 

Services

Security and Privacy

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Modern Infrastructure

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Digital Workplace

Helping businesses keep infrastructure up-to-date, minimizing security risks, and maintaining compliance

Cloud, DevOps & Automation

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Enterprise Managed Services

Design, implementation, licensing optimization, and environmental services, ensuring use of Microsoft's best practices and configurations.

Our Markets and Market Support Vehicles

Business

Professional services and nationally-recognized expertise that align perfectly with the trends and challenges facing a variety of industries.

Healthcare

Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industry-leading IT consulting services and technology solutionsaccessed through a streamlined contracting process.

Resources

Events

Learn about our upcoming events and webinars.

Solutions Literature

Access content on solution and service offerings.

Blog

Learn about leading technology topics.

Press Releases

Read official updates from the e360 team.

News Stories

Read about latest industry and  e360 news.

About e360

About e360

Our mission, vision, leadership and team

Accolades

e360 awards and recognition

Privacy

e360's commitment to privacy

Community

e360's commitment to privacy

Careers

e360 career opportunities

Contact

e360 locations and contact resources