Data ONTAP products implement the SMB protocol. Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.
Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.
CVEID: CVE-2016-3997 DESCRIPTION: N series Clustered Data ONTAP is vulnerable to a man-in-the-middle attack, caused by the failure to enforce SMB signing by the implementation of the SMB protocol. An attacker could exploit thisk vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-3400 DESCRIPTION: N series Data ONTAP is vulnerable to a man-in-the-middle attack, caused by an error when operating in 7-Mode. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.1.x, 8.2.x
Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.2.4P3D1
By default, required SMB signing is disabled. After upgrading Data ONTAP filesystem to above version, customers can enable SMB signing by using the below command which will avoid SMB vulnerabilities:"
vserver cifs security modify -vserver**vserver_name**** -is-signing-required true**
For customers who use Clustered Data ONTAP 8.2.x, IBM urges them to use above command to avoid SMB vulnerabilities.
For customers who use Data ONTAP operating in 7-Mode 8.1.x, 8.2.x, Please contact IBM support or go to this link to download a supported release, and enforce SMB1,SMB2 signing.
IBM strongly suggest customers to download and upgrade a fix version and use remediation described above. But for customers who can not upgrade the product version, IBM suggest you use below suggestion to mitigate the vulnerability:
1. Risk can be lowered by avoiding login/authentication of privileged accounts over unprotected networks. If possible, administrators should limit the use of privileged SMB sessions to trusted networks as a partial mitigation to man-in-the-middle attacks.
2. Data ONTAP operating in 7-Mode is capable of enforcing SMB2 signing but is not capable of enforcing SMB1 signing or completely disabling SMB1. To mitigate potential SMB man-in-the-middle attacks perform both of the following:
o Enforce SMB2 signing in Data ONTAP operating in 7-Mode
o Disable SMB1 negotiation on all clients accessing Data ONTAP operating in 7-Mode SMB shares
CPE | Name | Operator | Version |
---|---|---|---|
clustered data ontap: 8.2.x; data ontap operating in 7-mode: 8.1.x, | eq | 8.2.x |