Processor Speculated Execution Vulnerabilities in NetApp Products

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Summary

Many modern processors are susceptible to a group of vulnerabilities which are referred to as Meltdown and Spectre. These vulnerabilities allow unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. This advisory will be updated as additional information becomes available.

Impact

Successful exploitation of these vulnerabilities allows unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. These attacks require the ability to run malicious code directly on the target system.

ONTAP:
Unlike a general-purpose operating system, ONTAP does not provide mechanisms for non-administrative users to run third-party code. Due to this behavior, ONTAP is not affected by either the Spectre or Meltdown attacks. The same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud.

While ONTAP Select and ONTAP Cloud are not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.

StorageGRID:
StorageGRID and StorageGRID Webscale do not provide mechanisms for running unprivileged third-party code and are not directly affected. For virtualized deployments, NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform. For Docker-based deployments, NetApp recommends working with your operating system and hardware vendors to ensure that your NetApp product is running on a secure and patched platform.

NetApp HCI Storage Nodes:
Unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.

SANtricity:
Unlike a general-purpose operating system, SANtricity does not provide mechanisms for running third-party code. Due to this behavior, SANtricity is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.

OnCommand Unified Manager for VMware vSphere:
OnCommand Unified Manager for VMware vSphere packages Unified Manager into a VMware hypervisor environment and does not provide mechanisms for non-administrative users to run third-party code on the hypervisor. Due to this behavior, OnCommand Unified Manager for VMware vSphere is not affected by either the Spectre or Meltdown attacks.

While OnCommand Unified Manager for VMware vSphere is not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.

Brocade Advisory:
http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2018-522.htm

FAS/AFF System Firmware (BIOS):
FAS/AFF BIOS firmware does not provide a mechanism to run arbitrary code and thus is not susceptible to either the Spectre or Meltdown attacks.

NetApp HCI Compute Node (Bootstrap OS):
NetApp HCI Compute Node is tracked as affected with remediation by customer installation of ESXi patches and microcode updates from VMware detailed in KB 52245.

NetApp SolidFire & HCI Management Node:
The NetApp SolidFire Element OS Management Node provides console access for end users and therefore it is tracked as affected. The underlying hypervisor infrastructure should be patched by customer installation of ESXi patches and microcode updates. Customers running whitebox server should consult the manufacturer for microcode availability.

Vulnerability Scoring Details

CVE Score Vector
CVE-2017-5715 8.2 (HIGH) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2017-5753 8.2 (HIGH) CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2017-5754 7.1 (HIGH) CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

Affected Products

  • NetApp HCI Compute Node (Bootstrap OS)
  • NetApp SolidFire & HCI Management Node

Products Not Affected

  • 7-Mode Transition Tool
  • ATTO FibreBridge
  • Active IQ Unified Manager (formerly OnCommand Unified Manager) for Linux 7.3 and above
  • Active IQ Unified Manager (formerly OnCommand Unified Manager) for VMware vSphere 9.5 and above
  • Active IQ Unified Manager (formerly OnCommand Unified Manager) for Windows 7.3 and above
  • Brocade Fabric Operating System Firmware
  • Brocade Network Advisor Software
  • Cluster Network Switch (NetApp CN1610)
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • Data ONTAP operating in 7-Mode
  • E-Series SANtricity OS Controller Software 11.x
  • E-Series SANtricity OS Controller Software 8.x
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API) for Web Services Proxy
  • Element Plug-in for vCenter Server
  • FAS/AFF BIOS
  • Host Utilities - SAN for Linux
  • Host Utilities - SAN for Windows
  • MetroCluster Tiebreaker for clustered Data ONTAP
  • NetApp Cloud Backup (formerly AltaVault)
  • NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
  • NetApp Converged Systems Advisor Agent
  • NetApp HCI Storage Nodes
  • NetApp Manageability SDK
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp Plug-in for Symantec NetBackup
  • NetApp SANtricity Cloud Connector
  • NetApp SANtricity SMI-S Provider
  • NetApp SMI-S Provider
  • NetApp Service Level Manager
  • NetApp SolidFire & HCI Storage Node (Element Software)
  • NetApp SteelStore Cloud Integrated Storage
  • NetApp Storage Encryption
  • NetApp VASA Provider for Clustered Data ONTAP 7.2 and above
  • ONTAP Select Deploy administration utility
  • OnCommand API Services
  • OnCommand Cloud Manager
  • OnCommand Insight
  • OnCommand System Manager 9.x
  • OnCommand Unified Manager for 7-Mode (core package)
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • RAID Controller CTS2600 Legacy Engenio
  • Service Processor
  • Single Mailbox Recovery
  • Snap Creator Framework
  • SnapCenter
  • SnapDrive for Unix
  • SnapDrive for Windows
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for MS SQL
  • SnapManager for Oracle
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above
  • Storage Services Connector
  • StorageGRID (formerly StorageGRID Webscale)
  • StorageGRID Webscale NAS Bridge
  • StorageGRID9 (9.x and prior)
  • System Setup
  • Virtual Storage Console for VMware vSphere 7.2 and above

Software Versions and Fixes

NetApp's currently available patches are listed below.


Product First Fixed in Release
NetApp HCI Compute Node (Bootstrap OS) https://mysupport.netapp.com/site/products/all/details/netapp-hci/downloads-tab/download/62542/1.8

Partial fix available via the ESXi patches. https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html

Workarounds

None at this time.

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/site/downloads/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Final.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20180104-0001

Revision History

Revision # Date Comments
1.0 20180104 Initial Public Release
2.0 20180105 Impact section updated. FAS/AFF System Firmware (BIOS) moved to Affected Products. ATTO FibreBridge moved to Products Under Investigation. E-Series SANtricity OS Controller Software 8.x, E-Series SANtricity OS Controller Software 11.30 and later, FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP, NetApp AltaVault, NetApp VASA Provider for Clustered Data ONTAP, ONTAP Select Deploy administration utility, StorageGRID, StorageGRID Webscale, and Virtual Storage Console for VMware vSphere, moved to Products Not Affected
3.0 20180107 FAS/AFF System Firmware (BIOS) moved back to Products Under Investigation
4.0 20180108 ATTO FibreBridge moved to Products Not Affected, Brocade Fabric Operating System Firmware and Brocade Network Operating System Firmware moved to Products Under Investigation
5.0 20180109 SANtricity Impact added.
6.0 20180112 OnCommand Unified Manager for VMware vSphere Impact added. Service Processor moved to Products Not Affected.
7.0 20180116 NetApp HCI split into NetApp HCI Compute Nodes and NetApp HCI Storage Nodes. Brocade Fabric Operating System Firmware, Brocade Network Operating System Firmware, and NetApp HCI Storage Nodes moved to Products Not Affected.
8.0 20180117 FAS/AFF System Firmware (BIOS) moved to Products Not Affected, NetApp HCI Compute Node moved to Affected Products.
9.0 20180125 NetApp SteelStore Cloud Integrated Storage added to Products Under Investigation
10.0 20180126 NetApp SteelStore Cloud Integrated Storage moved to Products Not Affected.
11.0 20180201 NetApp SolidFire Element OS Management Node added to the advisory and moved to Affected Products.
12.0 20180307 Cluster Network Switch (NetApp CN1610) moved to Products not Affected
13.0 20180321 Updated Impact for NetApp HCI Compute Node and NetApp SolidFire Element OS Management Node
14.0 20180417 Updated Impact for NetApp HCI Compute Node and NetApp SolidFire Element OS Management Node
15.0 20200612 NetApp HCI Compute Node (Bootstrap OS) moved to Products Not Affected, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.