[9557] in bugtraq
Re: NetApp Filer software versions 5.x: potential hardware killer
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Feb 13 16:41:08 1999
Date: Sat, 13 Feb 1999 10:01:46 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
>> But now, apparently new with the 5.x revisions of the filer
>> operating system, a malicious individual can likely destroy the disk
>> drive hardware itself.
On reflection, this is really a bug in the disk drive. If a NetApp can
shove new firmware into the drive, so could any host it's connected to.
> How is this different from any host (Unix, Windows, DOS, network
> equipment) that has one or more components with upgradeable firmware?
In my opinion, it isn't fundamentally different. If I saw, for
example, a machine with flashable "PROM" code that *didn't* require
some physical change - eg, a jumper on the board - to enable that
functionality, I wouldn't go near the thing.
Any drive that allows its host to download new firmware without some
documented hard means of disabling this capability (typically a jumper
on the drive) is just *asking* for trouble.
NetApp is not the problem. Given knowledge of the relevant commands to
the drive, any of the free-source OSes could become just as dangerous.
NetApp is contributing only in that they make it a little easier to
shove new firmware into a drive.
> If I recall correctly, the procedure goes something like this: after
> the new firmware has completed uploading, the checksum is verified
> and/or it is tested in other ways (there is room for both the old and
> new copies, I guess), and only then will the disk switch over to the
> new firmware using some atomic operation.
> So it may be true that someone could construct an evil firmware that
> also passes muster (it may be difficult to do this -- I don't know),
"I guess" - "may be true" - "I don't know". This sounds a whole lot
like something bugtraq has seen many times before, a flavor of
security-through-obscurity: a device with a capability that has
unpleasant security implications that is rendered "secure" (note the
quotes) by keeping that capability secret. I recall this most recently
with router boxes that have "secret" backdoor passwords, but this is
not fundamentally different.
> and upon gaining root access to your filer, instead of zeroing all of
> your disks, they turn your disks into bricks.
Mind you, I have trouble imagining what an attacker would want to do to
your drives except turning them into bricks (ie, a DOS attack) - but I
am not the least bit sure nobody will think of something fiendish that
I haven't thought of.
> To be honest, I don't know how irrecoverable today's disks are when a
> bad firmware is uploaded.
Mm-hmm. More undocumented aspects of common hardware.
Seagate, Quantum, etc: any of you present on bugtraq? Any of you care
to speak up and document these aspects of your drives? Or if you *are*
using a standardized capability, point to where it's documented?
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
