IBM Support

Security Bulletin: SMB vulnerabilities in IBM N Series Products

Security Bulletin


Summary

Data ONTAP products implement the SMB protocol. Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.

Vulnerability Details

Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.
CVEID: CVE-2016-3997
DESCRIPTION: N series Clustered Data ONTAP is vulnerable to a man-in-the-middle attack, caused by the failure to enforce SMB signing by the implementation of the SMB protocol. An attacker could exploit thisk vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3400
DESCRIPTION: N series Data ONTAP is vulnerable to a man-in-the-middle attack, caused by an error when operating in 7-Mode. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.1.x, 8.2.x

Remediation/Fixes

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.2.4P3D1

By default, required SMB signing is disabled. After upgrading Data ONTAP filesystem to above version, customers can enable SMB signing by using the below command which will avoid SMB vulnerabilities:"
vserver cifs security modify -vserver vserver_name -is-signing-required true

For customers who use Clustered Data ONTAP 8.2.x, IBM urges them to use above command to avoid SMB vulnerabilities.
For customers who use Data ONTAP operating in 7-Mode 8.1.x, 8.2.x, Please contact IBM support or go to this link to download a supported release, and enforce SMB1,SMB2 signing.

Workarounds and Mitigations

IBM strongly suggest customers to download and upgrade a fix version and use remediation described above. But for customers who can not upgrade the product version, IBM suggest you use below suggestion to mitigate the vulnerability:

1. Risk can be lowered by avoiding login/authentication of privileged accounts over unprotected networks. If possible, administrators should limit the use of privileged SMB sessions to trusted networks as a partial mitigation to man-in-the-middle attacks.

2. Data ONTAP operating in 7-Mode is capable of enforcing SMB2 signing but is not capable of enforcing SMB1 signing or completely disabling SMB1. To mitigate potential SMB man-in-the-middle attacks perform both of the following:

o Enforce SMB2 signing in Data ONTAP operating in 7-Mode

o Disable SMB1 negotiation on all clients accessing Data ONTAP operating in 7-Mode SMB shares

Get Notified about Future Security Bulletins

References

Related information

Change History

22 July 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Data ONTAP
CIFS

Version: Not Applicable

Operating system(s): Data ONTAP

Reference #: S1006063

Modified date: 22 July 2016