Lucene search

K
ibmIBM1AC07A6F70CAA9E7EA5AD4F0F334F3995ECFDEF0E0F5360F91A68246BA5F90B0
HistoryDec 15, 2021 - 6:05 p.m.

Security Bulletin: SMB vulnerabilities in IBM N Series Products

2021-12-1518:05:07
www.ibm.com
7

0.003 Low

EPSS

Percentile

69.8%

Summary

Data ONTAP products implement the SMB protocol. Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.

Vulnerability Details

Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.

CVEID: CVE-2016-3997 DESCRIPTION: N series Clustered Data ONTAP is vulnerable to a man-in-the-middle attack, caused by the failure to enforce SMB signing by the implementation of the SMB protocol. An attacker could exploit thisk vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3400 DESCRIPTION: N series Data ONTAP is vulnerable to a man-in-the-middle attack, caused by an error when operating in 7-Mode. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.1.x, 8.2.x

Remediation/Fixes

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.2.4P3D1

By default, required SMB signing is disabled. After upgrading Data ONTAP filesystem to above version, customers can enable SMB signing by using the below command which will avoid SMB vulnerabilities:"
vserver cifs security modify -vserver**vserver_name**** -is-signing-required true**

For customers who use Clustered Data ONTAP 8.2.x, IBM urges them to use above command to avoid SMB vulnerabilities.
For customers who use Data ONTAP operating in 7-Mode 8.1.x, 8.2.x, Please contact IBM support or go to this link to download a supported release, and enforce SMB1,SMB2 signing.

Workarounds and Mitigations

IBM strongly suggest customers to download and upgrade a fix version and use remediation described above. But for customers who can not upgrade the product version, IBM suggest you use below suggestion to mitigate the vulnerability:

1. Risk can be lowered by avoiding login/authentication of privileged accounts over unprotected networks. If possible, administrators should limit the use of privileged SMB sessions to trusted networks as a partial mitigation to man-in-the-middle attacks.

2. Data ONTAP operating in 7-Mode is capable of enforcing SMB2 signing but is not capable of enforcing SMB1 signing or completely disabling SMB1. To mitigate potential SMB man-in-the-middle attacks perform both of the following:

o Enforce SMB2 signing in Data ONTAP operating in 7-Mode

o Disable SMB1 negotiation on all clients accessing Data ONTAP operating in 7-Mode SMB shares

0.003 Low

EPSS

Percentile

69.8%

Related for 1AC07A6F70CAA9E7EA5AD4F0F334F3995ECFDEF0E0F5360F91A68246BA5F90B0