Hey there,
One of our customers had a pentester onsite who found the following issues with the NetApp filers there.
RPC Enumeration discovered By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.
Note: Specific Target IPs are included in the "Detailed IP List."
nGuard recommends downloading the latest security patches from Microsoft.
Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?
Thanks,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
I would say....
Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft
Get Outlook for iOShttps://aka.ms/o0ukef
________________________________ From: toasters-bounces@teaparty.net on behalf of Alexander Griesser agriesser@anexia-it.com Sent: Wednesday, July 24, 2019 12:51 AM To: Toasters Subject: RPC Enumeration security finding
Hey there,
One of our customers had a pentester onsite who found the following issues with the NetApp filers there.
RPC Enumeration discovered By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.
Note: Specific Target IPs are included in the "Detailed IP List." nGuard recommends downloading the latest security patches from Microsoft.
Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?
Thanks,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
These scans generally look for common ports when notifying for vulnerabilities. SMB uses the same ports on Windows and ONTAP. But ONTAP doesn't have the same codeline as Microsoft, so this issue won't apply.
From: toasters-bounces@teaparty.net toasters-bounces@teaparty.net On Behalf Of Tim McCarthy Sent: Wednesday, July 24, 2019 7:22 AM To: Alexander Windbichler AGriesser@anexia-it.com; Toasters toasters@teaparty.net Subject: Re: RPC Enumeration security finding
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
I would say....
Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft
Get Outlook for iOShttps://aka.ms/o0ukef
________________________________ From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net on behalf of Alexander Griesser <agriesser@anexia-it.commailto:agriesser@anexia-it.com> Sent: Wednesday, July 24, 2019 12:51 AM To: Toasters Subject: RPC Enumeration security finding
Hey there,
One of our customers had a pentester onsite who found the following issues with the NetApp filers there.
RPC Enumeration discovered By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.
Note: Specific Target IPs are included in the "Detailed IP List." nGuard recommends downloading the latest security patches from Microsoft.
Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?
Thanks,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
Thanks for all your feedback - this was my assumption too, just wanted to get some more "votes" on the false positive idea.
Best,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
Von: Parisi, Justin Justin.Parisi@netapp.com Gesendet: Mittwoch, 24. Juli 2019 15:09 An: Tim McCarthy tmacmd@gmail.com; Alexander Griesser AGriesser@anexia-it.com; Toasters toasters@teaparty.net Betreff: RE: RPC Enumeration security finding
These scans generally look for common ports when notifying for vulnerabilities. SMB uses the same ports on Windows and ONTAP. But ONTAP doesn't have the same codeline as Microsoft, so this issue won't apply.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net <toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net> On Behalf Of Tim McCarthy Sent: Wednesday, July 24, 2019 7:22 AM To: Alexander Windbichler <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: Re: RPC Enumeration security finding
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
I would say....
Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft
Get Outlook for iOShttps://aka.ms/o0ukef
________________________________ From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net on behalf of Alexander Griesser <agriesser@anexia-it.commailto:agriesser@anexia-it.com> Sent: Wednesday, July 24, 2019 12:51 AM To: Toasters Subject: RPC Enumeration security finding
Hey there,
One of our customers had a pentester onsite who found the following issues with the NetApp filers there.
RPC Enumeration discovered By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.
Note: Specific Target IPs are included in the "Detailed IP List."
nGuard recommends downloading the latest security patches from Microsoft.
Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?
Thanks,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
-
Alexander Griesser -
Parisi, Justin -
Tim McCarthy