Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: NetApp Filer software versions 5.x: potential hardware killer

Re: NetApp Filer software versions 5.x: potential hardware killer

der Mouse (mouseRODENTS.MONTREAL.QC.CA)
Sat, 13 Feb 1999 10:01:46 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marco S Hyman: "Re: PPP/ISDN multilink security issue - summary"
Previous message: Jamie Thain: "Re: Possible FW-1 DoS"
Maybe in reply to: Jason Downs: "NetApp Filer software versions 5.x: potential hardware killer"

>> But now, apparently new with the 5.x revisions of the filer
>> operating system, a malicious individual can likely destroy the disk
>> drive hardware itself.

On reflection, this is really a bug in the disk drive.  If a NetApp can
shove new firmware into the drive, so could any host it's connected to.

> How is this different from any host (Unix, Windows, DOS, network
> equipment) that has one or more components with upgradeable firmware?

In my opinion, it isn't fundamentally different.  If I saw, for
example, a machine with flashable "PROM" code that *didn't* require
some physical change - eg, a jumper on the board - to enable that
functionality, I wouldn't go near the thing.

Any drive that allows its host to download new firmware without some
documented hard means of disabling this capability (typically a jumper
on the drive) is just *asking* for trouble.

NetApp is not the problem.  Given knowledge of the relevant commands to
the drive, any of the free-source OSes could become just as dangerous.
NetApp is contributing only in that they make it a little easier to
shove new firmware into a drive.

> If I recall correctly, the procedure goes something like this: after
> the new firmware has completed uploading, the checksum is verified
> and/or it is tested in other ways (there is room for both the old and
> new copies, I guess), and only then will the disk switch over to the
> new firmware using some atomic operation.

> So it may be true that someone could construct an evil firmware that
> also passes muster (it may be difficult to do this -- I don't know),

"I guess" - "may be true" - "I don't know".  This sounds a whole lot
like something bugtraq has seen many times before, a flavor of
security-through-obscurity: a device with a capability that has
unpleasant security implications that is rendered "secure" (note the
quotes) by keeping that capability secret.  I recall this most recently
with router boxes that have "secret" backdoor passwords, but this is
not fundamentally different.

> and upon gaining root access to your filer, instead of zeroing all of
> your disks, they turn your disks into bricks.

Mind you, I have trouble imagining what an attacker would want to do to
your drives except turning them into bricks (ie, a DOS attack) - but I
am not the least bit sure nobody will think of something fiendish that
I haven't thought of.

> To be honest, I don't know how irrecoverable today's disks are when a
> bad firmware is uploaded.

Mm-hmm.  More undocumented aspects of common hardware.

Seagate, Quantum, etc: any of you present on bugtraq?  Any of you care
to speak up and document these aspects of your drives?  Or if you *are*
using a standardized capability, point to where it's documented?

					der Mouse

			       mouserodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Next message: Marco S Hyman: "Re: PPP/ISDN multilink security issue - summary"
Previous message: Jamie Thain: "Re: Possible FW-1 DoS"
Maybe in reply to: Jason Downs: "NetApp Filer software versions 5.x: potential hardware killer"