Processor Speculated Execution Vulnerabilities in NetApp Products

Summary

Many modern processors are susceptible to a group of vulnerabilities which are referred to as Meltdown and Spectre. These vulnerabilities allow unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. This advisory will be updated as additional information becomes available.

Impact

Successful exploitation of these vulnerabilities allows unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. These attacks require the ability to run malicious code directly on the target system.

ONTAP:
Unlike a general-purpose operating system, ONTAP does not provide mechanisms for non-administrative users to run third-party code. Due to this behavior, ONTAP is not affected by either the Spectre or Meltdown attacks. The same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud.

While ONTAP Select and ONTAP Cloud are not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.

StorageGRID:
StorageGRID and StorageGRID Webscale do not provide mechanisms for running unprivileged third-party code and are not directly affected. For virtualized deployments, NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform. For Docker-based deployments, NetApp recommends working with your operating system and hardware vendors to ensure that your NetApp product is running on a secure and patched platform.

SolidFire:
Unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.

SANtricity:
Unlike a general-purpose operating system, SANtricity does not provide mechanisms for running third-party code. Due to this behavior, SANtricity is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.

OnCommand Unified Manager for VMware vSphere:
OnCommand Unified Manager for VMware vSphere packages Unified Manager into a VMware hypervisor environment and does not provide mechanisms for non-administrative users to run third-party code on the hypervisor. Due to this behavior, OnCommand Unified Manager for VMware vSphere is not affected by either the Spectre or Meltdown attacks.

While OnCommand Unified Manager for VMware vSphere is not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.

Brocade Advisory:
http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2018-522.htm

FAS/AFF System Firmware (BIOS):
FAS/AFF BIOS firmware does not provide a mechanism to run arbitrary code and thus is not susceptible to either the Spectre or Meltdown attacks.

NetApp HCI Compute Node:
NetApp HCI Compute Node is tracked as affected with remediation by customer installation of ESXi patches and microcode updates from VMware detailed in KB 52245.

NetApp SolidFire Element OS Management Node:
The NetApp SolidFire Element OS Management Node provides console access for end users and therefore it is tracked as affected. The underlying hypervisor infrastructure should be patched by customer installation of ESXi patches and microcode updates. Customers running whitebox server should consult the manufacturer for microcode availability.

Vulnerability Scoring Details

CVE Score Vector
CVE-2017-5715 8.2 (HIGH) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2017-5753 8.2 (HIGH) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2017-5754 7.1 (HIGH) CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

Affected Products

  • NetApp HCI Compute Nodes
  • NetApp SolidFire Element OS Management Node

Products Not Affected

  • 7-Mode Transition Tool
  • ATTO FibreBridge
  • Active IQ Performance Analytics Services
  • AutoSupport, MySupport,support.netapp.com
  • Brocade Fabric Operating System Firmware
  • Brocade Network Advisor Software
  • Brocade Network Operating System Firmware
  • Cloud Control
  • Cluster Network Switch (NetApp CN1610)
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • Data ONTAP operating in 7-Mode
  • E-Series SANtricity Management Plug-ins (VMware vCenter)
  • E-Series SANtricity OS Controller Software 11.x
  • E-Series SANtricity OS Controller Software 8.x
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API) for Web Services Proxy
  • FAS/AFF System Firmware
  • Host Utilities - SAN for ESX
  • Host Utilities - SAN for Unix and Linux
  • Host Utilities - SAN for Windows
  • MetroCluster Tiebreaker for clustered Data ONTAP
  • Multipath I/O (Data ONTAP DSM for Windows MPIO)
  • NetApp Cloud Backup (formerly AltaVault)
  • NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
  • NetApp Converged Systems Advisor
  • NetApp HCI Storage Nodes
  • NetApp Manageability SDK
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp Plug-in for Symantec NetBackup
  • NetApp SANtricity Cloud Connector
  • NetApp SANtricity SMI-S Provider
  • NetApp SMI-S Provider
  • NetApp Service Level Manager
  • NetApp SteelStore Cloud Integrated Storage
  • NetApp Storage Encryption
  • NetApp VASA Provider for Clustered Data ONTAP 7.0 and above
  • ONTAP Select Deploy administration utility
  • OnCommand API Services
  • OnCommand Cloud Manager
  • OnCommand Insight
  • OnCommand Plug-in for Microsoft
  • OnCommand System Manager
  • OnCommand Unified Manager for 7-Mode (core package)
  • OnCommand Unified Manager for Linux 7.3 and above
  • OnCommand Unified Manager for VMware vSphere 7.3 and above
  • OnCommand Unified Manager for Windows 7.3 and above
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • Perfstat
  • RAID Controller CTS2600 Legacy Engenio
  • Service Processor
  • Single Mailbox Recovery
  • Snap Creator Framework
  • SnapCenter Server
  • SnapDrive for Unix
  • SnapDrive for Windows
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for MS SQL
  • SnapManager for Oracle
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • SnapProtect
  • SolidFire Element OS
  • SolidFire VMware vCenter Plug-in
  • Storage Automation Store
  • Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 4.x and above
  • Storage Services Connector
  • StorageGRID
  • StorageGRID Webscale
  • System Setup
  • Virtual Storage Console for VMware vSphere 7.0 and above

Software Versions and Fixes

None.

This section will be updated as patches are released.

Workarounds

None at this time.

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/NOW/cgi-bin/software/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Interim.

NetApp will continue to update this advisory as additional information becomes available.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20180104-0001

Revision History

Revision # Date Comments
1.0 20180104 Initial Public Release
2.0 20180105 Impact section updated. FAS/AFF System Firmware (BIOS) moved to Affected Products. ATTO FibreBridge moved to Products Under Investigation. E-Series SANtricity OS Controller Software 8.x, E-Series SANtricity OS Controller Software 11.30 and later, FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP, NetApp AltaVault, NetApp VASA Provider for Clustered Data ONTAP, ONTAP Select Deploy administration utility, StorageGRID, StorageGRID Webscale, and Virtual Storage Console for VMware vSphere, moved to Products Not Affected
3.0 20180107 FAS/AFF System Firmware (BIOS) moved back to Products Under Investigation
4.0 20180108 ATTO FibreBridge moved to Products Not Affected, Brocade Fabric Operating System Firmware and Brocade Network Operating System Firmware moved to Products Under Investigation
5.0 20180109 SANtricity Impact added.
6.0 20180112 OnCommand Unified Manager for VMware vSphere Impact added. Service Processor moved to Products Not Affected.
7.0 20180116 NetApp HCI split into NetApp HCI Compute Nodes and NetApp HCI Storage Nodes. Brocade Fabric Operating System Firmware, Brocade Network Operating System Firmware, and NetApp HCI Storage Nodes moved to Products Not Affected.
8.0 20180117 FAS/AFF System Firmware (BIOS) moved to Products Not Affected, NetApp HCI Compute Node moved to Affected Products.
9.0 20180125 NetApp SteelStore Cloud Integrated Storage added to Products Under Investigation
10.0 20180126 NetApp SteelStore Cloud Integrated Storage moved to Products Not Affected.
11.0 20180201 NetApp SolidFire Element OS Management Node added to the advisory and moved to Affected Products.
12.0 20180307 Cluster Network Switch (NetApp CN1610) moved to Products not Affected
13.0 20180321 Updated Impact for NetApp HCI Compute Node and NetApp SolidFire Element OS Management Node
14.0 20180417 Updated Impact for NetApp HCI Compute Node and NetApp SolidFire Element OS Management Node

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.