IBM Support

Security Bulletin: SMB vulnerabilities in IBM N Series Products

Security Bulletin


Summary

Data ONTAP products implement the SMB protocol. Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.

Vulnerability Details

Systems that implement the SMB protocol can be susceptible to one or more man-in-the-middle attacks which when exploited could potentially lead to information disclosure, privilege escalation, or a Denial of Service.

CVEID: CVE-2016-3997
DESCRIPTION: N series Clustered Data ONTAP is vulnerable to a man-in-the-middle attack, caused by the failure to enforce SMB signing by the implementation of the SMB protocol. An attacker could exploit thisk vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3400
DESCRIPTION: N series Data ONTAP is vulnerable to a man-in-the-middle attack, caused by an error when operating in 7-Mode. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and obtain sensitive information, gain elevated privileges or cause a denial of service.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.1.x, 8.2.x

Remediation/Fixes

Clustered Data ONTAP: 8.2.x;
Data ONTAP operating in 7-Mode: 8.2.4P3D1

By default, required SMB signing is disabled. After upgrading Data ONTAP filesystem to above version, customers can enable SMB signing by using the below command which will avoid SMB vulnerabilities:"
vserver cifs security modify -vserver vserver_name -is-signing-required true

For customers who use Clustered Data ONTAP 8.2.x, IBM urges them to use above command to avoid SMB vulnerabilities.
For customers who use Data ONTAP operating in 7-Mode 8.1.x, 8.2.x, Please contact IBM support or go to this link to download a supported release, and enforce SMB1,SMB2 signing.

Workarounds and Mitigations

IBM strongly suggest customers to download and upgrade a fix version and use remediation described above. But for customers who can not upgrade the product version, IBM suggest you use below suggestion to mitigate the vulnerability:

1. Risk can be lowered by avoiding login/authentication of privileged accounts over unprotected networks. If possible, administrators should limit the use of privileged SMB sessions to trusted networks as a partial mitigation to man-in-the-middle attacks.

2. Data ONTAP operating in 7-Mode is capable of enforcing SMB2 signing but is not capable of enforcing SMB1 signing or completely disabling SMB1. To mitigate potential SMB man-in-the-middle attacks perform both of the following:

o Enforce SMB2 signing in Data ONTAP operating in 7-Mode

o Disable SMB1 negotiation on all clients accessing Data ONTAP operating in 7-Mode SMB shares

Get Notified about Future Security Bulletins

References

Off

Change History

22 July 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"nseries","label":"IBM System Storage N series"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"CIFS","Platform":[{"code":"","label":"Data ONTAP"}],"Version":"Not Applicable","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
15 December 2021

UID

ssg1S1006063