In message 7F608EC0BDE6D111B53A00805FA7F7DA02C3834B@TAHOE.netapp.com, "Madison, Shannon" writes:

Forwarded per Radek:

-----Original Message----- From: Radek Aster Sent: Friday, February 12, 1999 11:20 AM Subject: Re: FW: URGENT!!!! FW: NetApp Filer software versions 5.x: potential har dware killer (fwd)

IMHO, this is a pile. Jason makes the statement that he can create a file (of the appropriate size), fill it will garbage, and download it to disk drives which will then become bricks.

Geez. How stupid does he think Seagate is? Don't answer that. :-)

It's not a question of how stupid I think Seagate is. It's a question of how stupid I think NetApp is for implementing 'online' disk firmware updates.

Seriously, the firmware files have checksums embedded in them. As part of the update process, the drive will verify the checksum before committing the firmware to flash. If the checksum doesn't verify, the update is cancelled. No harm, no foul. Pretty SOP with firmware downloads. Heck, one could make the same "security" argument with any hardware component with downloadable firmware. Why pick on drives?

All a checksum does is make it more difficult than dd'ing /dev/zero in order to produce something the drive will take. You're missing the point.

Granted, he *could* get his hands on unqualified and/or bad firmware and download it to the drives .... is this enough to cry "the sky is falling"?

If this is seem as a serious enough "security issue", we can always ship

*encrypted* files, and decrypt them ourselves before downloading, thereby verifying the contents and identity of files we ship.

IMHO, the 'best' way to do it would be to require the files be on a floppy, or some other method which restricts firmware updates to the physical console.

Oh, and by the way: Keep in mind that _I am a customer_. Attacking me or making snide comments instead of addressing the issues that I've raised does NOT encourage me to purchase more Network Appliance products.

--Radek

Jason Downs downsj@downsj.com mailto:downsj@downsj.com writes:

Jason> I was going through the documentation for version 5.2.1 Jason> (the latest) of the Network Appliance Filer operating system when I Jason> stumbled upon this little gem: "Use the disk_fw_update command to Jason> update out-of-date firmware on all disks or a specified disk on a Jason> filer. Each filer is shipped with a /etc/disk_fw directory that Jason> contains the latest firmware revisions."

Jason> [...]

Jason> "In the /etc/disk_fw directory, the firmware file name is Jason> in the form of product_ID.revision.LOD. For example, if the firmware Jason> file is for Seagate disks with product ID ST19171FC and the firmware Jason> revision is FB37, the file name is ST19171FC.FB37.LOD. The revision Jason> in the file name is the number against which the filer compares each Jason> disk's existing firmware revision."

Jason> [...]

Jason> "Before Data ONTAP 5.2, the disk_fw_update command copi ed Jason> firmware files from the /etc directory. In the /etc directory, the Jason> name for the firmware file was in the form of product_ID.LOD. The Jason> revision number was not included in the file name. Data ONTAP 5.2 Jason> continues to support firmware files in the /etc directory for Jason> backward compatibility. That is, if you obtain a disk firmware file Jason> and store it in the /etc directory, you can use the disk_fw_update Jason> command to copy that firmware file to disks, unless there is also a Jason> firmware file for the same product ID in the /etc/disk_fw directory. Jason> The files in the /etc/disk_fw directory take precedence over the Jason> files in the /etc directory."

Jason> [...]

Jason> Filer's typically have an "admin host" which can mount and Jason> read/write to the filer root directory. Without it, it's impossible Jason> to do any sort of system maintenance on the filer. If this host is Jason> compromised it's obviously bad news for the filer. But now, Jason> apparently new with the 5.x revisions of the filer operating system, Jason> a malicious individual can likely destroy the disk drive hardware Jason> itself. It is not known if any sort of sanity check is done on the Jason> contents of the firmware files; it's likely there is none, Jason> considering the type of code they contain. Of course, it is trivial Jason> to gain command line access to a filer once the admin host is Jason> compromised. They use what amounts to /etc/hosts.equiv for rsh Jason> access. It has always been important to make sure the "admin host" Jason> of a filer is secure. Now it seems Network Appliance has just Jason> raised the stakes; not only can you lose your data, but you can also Jason> potentially lose hundreds of thousands of dollars worth of hardware.

Jason> -- Jason Downs downsj@downsj.com mailto:downsj@downsj. com

-- Jason Downs downsj@downsj.com

Little. Yellow. Secure. http://www.openbsd.org/

Sending unsolicited commercial email to this address may be a violation of the Washington State Consumer Protection Act, chapter 19.86 RCW.