COMMAND

    NetApp Filer

SYSTEMS AFFECTED

    NetApp Filer software versions 5.x

PROBLEM

    Jason  Downs   found  following.    He  was   going  through   the
    documentation  for  version  5.2.1  (the  latest)  of  the Network
    Appliance Filer operating system when he stumbled upon this little
    gem:

        "Use the disk_fw_update command to update out-of-date firmware
        on all disks  or a specified  disk on a  filer. Each filer  is
        shipped with a /etc/disk_fw directory that contains the latest
        firmware revisions."

        [...]

        "In the /etc/disk_fw directory,  the firmware file name  is in
        the  form  of  product_ID.revision.LOD.  For  example,  if the
        firmware file is for  Seagate disks with product  ID ST19171FC
        and  the  firmware  revision  is   FB37,  the  file  name   is
        ST19171FC.FB37.LOD.   The  revision  in  the  file name is the
        number against which the  filer compares each disk's  existing
        firmware revision."

        [...]

        "Before  Data  ONTAP  5.2,  the  disk_fw_update command copied
        firmware files from the /etc directory. In the /etc directory,
        the  name  for   the  firmware  file   was  in  the   form  of
        product_ID.LOD. The  revision number  was not  included in the
        file name.  Data ONTAP 5.2 continues to support firmware files
        in the /etc directory for backward compatibility.  That is, if
        you  obtain  a  disk  firmware  file  and store it in the /etc
        directory, you can use the disk_fw_update command to copy that
        firmware file to disks, unless  there is also a firmware  file
        for the same  product ID in  the /etc/disk_fw directory.   The
        files in the /etc/disk_fw  directory take precedence over  the
        files in the /etc directory."

        [...]

    Filer's  typically  have  an  "admin  host"  which  can  mount and
    read/write  to  the  filer  root  directory.   Without  it,   it's
    impossible to do any sort of system maintenance on the filer.   If
    this host is  compromised it's obviously  bad news for  the filer.
    But  now,  apparently  new  with  the  5.x  revisions of the filer
    operating system,  a malicious  individual can  likely destroy the
    disk drive hardware itself.  It is not known if any sort of sanity
    check is done on the  contents of the firmware files;  it's likely
    there is  none, considering  the type  of code  they contain.   Of
    course, it is trivial to gain command line access to a filer  once
    the  admin  host  is  compromised.   They  use  what  amounts   to
    /etc/hosts.equiv for rsh access.  It has always been important  to
    make sure the  "admin host" of  a filer is  secure.  Now  it seems
    Network Appliance  has just  raised the  stakes; not  only can you
    lose your  data, but  you can  also potentially  lose hundreds  of
    thousands of dollars worth of hardware.

    Kragen  Sitaker  added  following.    His  biggest  concern   with
    upgradable firmware  is much  more severe.   If you  can "upgrade"
    the firmware on  the disk somebody  boots their machine  from, you
    can theoretically do unbelievably devilish things.  You can insert
    arbitrary code into the OS kernel, for example, but only when  you
    boot off that  disk; if you  boot off a  floppy to check  the disk
    with Tripwire  or L5,  you can  give the  unmodified kernel.  Most
    disks  have  plenty  of  spare  space  on  them  --  reserved  for
    remapping bad  blocks --  and you  would have  plenty of  space to
    store  whatever  malicious  code  you  wanted.   You  could,   for
    instance, insert nonstandard options into IP headers and use  them
    as  a  covert   channel  to  alert   you  of  the   existence  and
    configuration of infected machines.  You could send extra  packets
    during times  of heavy  traffic.   You could  insert extra queries
    into DNS packets -- queries that would ultimately be forwarded  to
    malicious DNS servers.   Once you'd found  infected machines,  you
    could exert complete control over them.  A particularly  obnoxious
    possibility: you could insert "logic bombs" into the disk firmware
    that would activate only when certain (long and rather improbable,
    perhaps a few hundred bytes) were  read from the disk.  Then  spam
    people  with  a   .gif  containing  that   sequence,  along   with
    steganographically-encoded machine  code.   They extract  the .gif
    onto their disk,  nicely aligned with  the beginning of  a sector,
    and load it  up with Netscape.   And if your  breakin was  spotted
    and the machine reinstalled from scratch, it wouldn't matter.  The
    machine would still be compromised,  and there would be no  way to
    tell that it was compromised,  since you can't check the  firmware
    with L5.

SOLUTION

    Nothing  yet.   These  feats  would  be  technically difficult and
    narrowly applicable,  requiring detailed  knowledge of  particular
    disk designs and operating systems.   But the threat is much  more
    severe than the mere threat of someone breaking into your  machine
    and stealing or  deleting your data.   Firmware that is  flashable
    without requiring inconvenient physical access are bad.