Re: NetApp Filer software versions 5.x: potential hardware killer

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> > But now, apparently new with the 5.x revisions of the filer
> > operating system, a malicious individual can likely destroy the disk
> > drive hardware itself.

On reflection, this is really a bug in the disk drive.  If a NetApp can
shove new firmware into the drive, so could any host it's connected to.

> How is this different from any host (Unix, Windows, DOS, network
> equipment) that has one or more components with upgradeable firmware?

In my opinion, it isn't fundamentally different.  If I saw, for
example, a machine with flashable "PROM" code that *didn't* require
some physical change - eg, a jumper on the board - to enable that
functionality, I wouldn't go near the thing.

Any drive that allows its host to download new firmware without some
documented hard means of disabling this capability (typically a jumper
on the drive) is just *asking* for trouble.

NetApp is not the problem.  Given knowledge of the relevant commands to
the drive, any of the free-source OSes could become just as dangerous.
NetApp is contributing only in that they make it a little easier to
shove new firmware into a drive.

> If I recall correctly, the procedure goes something like this: after
> the new firmware has completed uploading, the checksum is verified
> and/or it is tested in other ways (there is room for both the old and
> new copies, I guess), and only then will the disk switch over to the
> new firmware using some atomic operation.

> So it may be true that someone could construct an evil firmware that
> also passes muster (it may be difficult to do this -- I don't know),

"I guess" - "may be true" - "I don't know".  This sounds a whole lot
like something bugtraq has seen many times before, a flavor of
security-through-obscurity: a device with a capability that has
unpleasant security implications that is rendered "secure" (note the
quotes) by keeping that capability secret.  I recall this most recently
with router boxes that have "secret" backdoor passwords, but this is
not fundamentally different.

> and upon gaining root access to your filer, instead of zeroing all of
> your disks, they turn your disks into bricks.

Mind you, I have trouble imagining what an attacker would want to do to
your drives except turning them into bricks (ie, a DOS attack) - but I
am not the least bit sure nobody will think of something fiendish that
I haven't thought of.

> To be honest, I don't know how irrecoverable today's disks are when a
> bad firmware is uploaded.

Mm-hmm.  More undocumented aspects of common hardware.

Seagate, Quantum, etc: any of you present on bugtraq?  Any of you care
to speak up and document these aspects of your drives?  Or if you *are*
using a standardized capability, point to where it's documented?

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B