On 02/11/99 20:22:28 you wrote:
http://www.geek-girl.com/bugtraq/1999_1/0594.html
I think that falls into the "Doc, it hurts when I do that" category, but it's a good reminder anyway.
The message, however, is just wrong in many places. I'll quote it below to pick apart.
Jason Downs writes:
Filer's typically have an "admin host" which can mount and read/write to the filer root directory. Without it, it's impossible to do any sort of system maintenance on the filer.
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
If this host is compromised it's obviously bad news for the filer. But now, apparently new with the 5.x revisions of the filer operating system, a malicious individual can likely destroy the disk drive hardware itself. It is not known if any sort of sanity check is done on the contents of the firmware files; it's likely there is none, considering the type of code they contain.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardware, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
Of course, it is trivial to gain command line access to a filer once the admin host is compromised. They use what amounts to /etc/hosts.equiv for rsh access.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
It has always been important to make sure the "admin host" of a filer is secure.
This is true.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
Jason, I'm CC:ing you on this; you're free to insert it into the bugtraq archive record if you wish since I don't subscribe to it.
Bruce
In message 199921122746541@ix.netcom.com, sirbruce@ix.netcom.com writes:
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
So you're saying that having a Java runtime on the filer is an improvement in security? That's insane.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardwar e, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
It doesn't make it easier. It makes it trivial.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
And you will be unable to update it's /etc/passwd, /etc/quotas, etc. You must not run a filer in an environment that changes often.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
It is true. Perhaps you should pull your head out of the sand for a minute and stop blindly defending the existance a stupid command.
-- Jason Downs downsj@downsj.com
Little. Yellow. Secure. http://www.openbsd.org/
Sending unsolicited commercial email to this address may be a violation of the Washington State Consumer Protection Act, chapter 19.86 RCW.
I find this all rather amusing.
IF somebody really wants to screw us up and IF they can crack our firewall and IF they can crack the root password of our admin host and IF they care to upgrade the firmware on our filer and IF they know how to do it and IF it breaks the filer beyond usablility
THEN
that's whay we have backups and that's why we buy hardware support.
Frankly I think the chances of all those IF's above happening are very, very, small - and worth the trade-off to be able to upgrade the firmware on the disks. Stupid command? I think not.
My guess is that someone that cracked the root password of our system would have far bigger fish to fry.
Graham
Jason Downs wrote:
In message 199921122746541@ix.netcom.com, sirbruce@ix.netcom.com writes:
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
So you're saying that having a Java runtime on the filer is an improvement in security? That's insane.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardwar e, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
It doesn't make it easier. It makes it trivial.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
And you will be unable to update it's /etc/passwd, /etc/quotas, etc. You must not run a filer in an environment that changes often.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
It is true. Perhaps you should pull your head out of the sand for a minute and stop blindly defending the existance a stupid command.
-- Jason Downs downsj@downsj.com
Little. Yellow. Secure. http://www.openbsd.org/Sending unsolicited commercial email to this address may be a violation of the Washington State Consumer Protection Act, chapter 19.86 RCW.
Frankly I think the chances of all those IF's above happening are very, very, small - and worth the trade-off to be able to upgrade the firmware ...
(on the lighter side)I would say IF someone went through all that trouble to do it, then we should hire him/her/it. :-)
-- Begin original message --
From: "Graham C. Knight" grahamk@ast.lmco.com Date: Fri, 12 Feb 1999 08:41:15 -0700 Subject: Re: Bugtraq item about Netapps. To: Jason Downs downsj@downsj.com Cc: sirbruce@ix.netcom.com, toasters@mathworks.com
I find this all rather amusing.
IF somebody really wants to screw us up and IF they can crack our firewall and IF they can crack the root password of our admin host and IF they care to upgrade the firmware on our filer and IF they know how to do it and IF it breaks the filer beyond usablility
THEN
that's whay we have backups and that's why we buy hardware support.
Frankly I think the chances of all those IF's above happening are very, very, small - and worth the trade-off to be able to upgrade the firmware on the disks. Stupid command? I think not.
My guess is that someone that cracked the root password of our system would have far bigger fish to fry.
Graham
Jason Downs wrote:
In message 199921122746541@ix.netcom.com, sirbruce@ix.netcom.com writes:
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
So you're saying that having a Java runtime on the filer is an improvement in security? That's insane.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardwar e, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
It doesn't make it easier. It makes it trivial.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
And you will be unable to update it's /etc/passwd, /etc/quotas, etc. You must not run a filer in an environment that changes often.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
It is true. Perhaps you should pull your head out of the sand for a minute and stop blindly defending the existance a stupid command.
-- Jason Downs downsj@downsj.com
Little. Yellow. Secure. http://www.openbsd.org/Sending unsolicited commercial email to this address may be a violation of the Washington State Consumer Protection Act, chapter 19.86 RCW.
-- End original message --
---philip thomas
Graham --
I was going to write your response when I first saw the 'NetApp Vunerability!', but was found myself too busy trying to justify something that needs no justification...
"Yes, you can do that"
The fact that Ontap 5.2 was cited specifically, I found particurally foolish. I don't know if the Jason was aware, but disk firmware upgrades are hardly a feature unique to netapp.. Take a look at luxadm(1) for your Sun StorEdge's, and numerous other examples that I am too short on coffee to come up with at the moment....
..kg..
On Fri, 12 Feb 1999, Graham C. Knight wrote:
I find this all rather amusing.
IF somebody really wants to screw us up and IF they can crack our firewall and IF they can crack the root password of our admin host and IF they care to upgrade the firmware on our filer and IF they know how to do it and IF it breaks the filer beyond usablility
Lets pare this scenario down to practicality, to make things even clearer. I think that everyone will agree that we can eliminate:
IF somebody really wants to screw us up (assumed when doing security analysis)
IF they care to upgrade the firmware on our filer and (malicious intent is assumed)
IF they know how to do it and (it's on bugtraq.)
This leaves us with:
IF they can crack our firewall and IF they can crack the root password of our admin host and IF it breaks the filer beyond usablility
Which is a rather conservitive chain of events. In reality its closer to:
Compromise/circumvent border access controls Spoof the identity of admin host Gain admin privileges on filer.
This is the same chain of events that happens with any compromised trust relationship. Nothing new. The procedures to minimize exposure and the risk of this happening are decades old.
There is (in this scenario) no Netapp software at fault. Merely lazy administrators extending trust where its not neccesary or safe to do so.
As far as:
that's whay we have backups and that's why we buy hardware support.
goes; I don't know what kind of enviroment you work in, but in mine, backups and disaster recovery are important; but so is confidentiality. Your scenario makes no allowance for the release of proprietary information presumably on the filer.
matto
On Fri, 12 Feb 1999, Graham C. Knight wrote:
I find this all rather amusing.
IF somebody really wants to screw us up and IF they can crack our firewall and IF they can crack the root password of our admin host and IF they care to upgrade the firmware on our filer and IF they know how to do it and IF it breaks the filer beyond usablility
THEN
that's whay we have backups and that's why we buy hardware support.
--matt@snark.net---------------------------------------------<darwin>< Matt Ghali MG406/GM023JP tokyo refugee - system admin - pop-tart fan www.hello-kitty.net "WWW my testicles!" - Bob Allisat, net.kook
goes; I don't know what kind of enviroment you work in, but in mine, backups and disaster recovery are important; but so is confidentiality. Your scenario makes no allowance for the release of proprietary information presumably on the filer.
Wow, what people can read into stuff amazes me.
Suffice it to say that my reply was pretty tounge-in-cheek, and your knowledge of my environment, and my practices, is squat.
With that, i'm off on a well needed vacation. Hope nobody messes with my firmware while i'm gone!!! :-)
Graham
"Graham C. Knight" wrote:
I find this all rather amusing.
IF somebody really wants to screw us up and IF they can crack our firewall and IF they can crack the root password of our admin host and IF they care to upgrade the firmware on our filer and IF they know how to do it and IF it breaks the filer beyond usablility
THEN
that's whay we have backups and that's why we buy hardware support.
Ah, ye'ole arguments of:
"security thru obscurity is bliss" & "me make'em firewall"
I believe that as emerging foriegn markets are the greatest threat to international businesses, every vulnurability needs to be addressed with proper security measures. The term data-broker is not a fictitious invention of Tom Clancy. And, I believe that as NetApp strengthens it's position as a market leader in Toaster-Technology, they should assume a greater responsiblity towards data & hardware security.
And not to divert too far into tangent waters, but you forgot your ENDIF.
Ah, ye'ole arguments of:
"security thru obscurity is bliss" & "me make'em firewall"
Damn, that must be why people keep saying "swiss cheese" when i walk down the hall! :-)
But really, i think my little fun and games with this topic has reached it's end. I have no obscurity, and I am capable of using proper English when talking about a firewall, thank you very much. But i still think this whole disk firmware upgrade scare is amusing. Some people just have too much time on their hands. There are holes that you could drive trucks through in every OS - this little thing looks like a pinprick to me.
And not to divert too far into tangent waters, but you forgot your ENDIF.
} /* end if */
Graham
-
Christoph Doerbeck A242369 -
Graham C. Knight -
Graham Knight -
Jason Downs -
just me. -
kg -
Philip Thomas -
sirbruce@ix.netcom.com