>> But now, apparently new with the 5.x revisions of the filer >> operating system, a malicious individual can likely destroy the disk >> drive hardware itself. On reflection, this is really a bug in the disk drive. If a NetApp can shove new firmware into the drive, so could any host it's connected to. > How is this different from any host (Unix, Windows, DOS, network > equipment) that has one or more components with upgradeable firmware? In my opinion, it isn't fundamentally different. If I saw, for example, a machine with flashable "PROM" code that *didn't* require some physical change - eg, a jumper on the board - to enable that functionality, I wouldn't go near the thing. Any drive that allows its host to download new firmware without some documented hard means of disabling this capability (typically a jumper on the drive) is just *asking* for trouble. NetApp is not the problem. Given knowledge of the relevant commands to the drive, any of the free-source OSes could become just as dangerous. NetApp is contributing only in that they make it a little easier to shove new firmware into a drive. > If I recall correctly, the procedure goes something like this: after > the new firmware has completed uploading, the checksum is verified > and/or it is tested in other ways (there is room for both the old and > new copies, I guess), and only then will the disk switch over to the > new firmware using some atomic operation. > So it may be true that someone could construct an evil firmware that > also passes muster (it may be difficult to do this -- I don't know), "I guess" - "may be true" - "I don't know". This sounds a whole lot like something bugtraq has seen many times before, a flavor of security-through-obscurity: a device with a capability that has unpleasant security implications that is rendered "secure" (note the quotes) by keeping that capability secret. I recall this most recently with router boxes that have "secret" backdoor passwords, but this is not fundamentally different. > and upon gaining root access to your filer, instead of zeroing all of > your disks, they turn your disks into bricks. Mind you, I have trouble imagining what an attacker would want to do to your drives except turning them into bricks (ie, a DOS attack) - but I am not the least bit sure nobody will think of something fiendish that I haven't thought of. > To be honest, I don't know how irrecoverable today's disks are when a > bad firmware is uploaded. Mm-hmm. More undocumented aspects of common hardware. Seagate, Quantum, etc: any of you present on bugtraq? Any of you care to speak up and document these aspects of your drives? Or if you *are* using a standardized capability, point to where it's documented? der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:29 PDT