Re: Network Appliance iSCSI Authentication Bypass

From: Steve Shockley (steve.shockley_at_shockley.net)
Date: 10/28/05

  • Next message: Bipin Gautam: "Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte" 
    Date: Thu, 27 Oct 2005 22:20:37 -0400
To: advisories@matasano.com, bugtraq@securityfocus.com

    advisories@matasano.com wrote:
    > ### Vendor Response
    >
    > Network Appliance Data ONTAP 7.0.2 is a General Availability release:
    > http://now.netapp.com/NOW/cgi-bin/software
    >
    >
    > Release of this advisory was coordinated with Network
    > Appliance. Network Appliance has confirmed this vulnerability. For
    > further information about the vulnerability disclosed in this
    > advisory, see
    > [NOW.NETAPP.COM BugsOnline](http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359).

    Network Appliance sent out Field Alert Notice #260 to customers today
    about this upgrade. From their email:

    Important Fixes
        ---------------
        175888 - Filer stops serving NFS after a bad thread synchronization
                 event

        176788 - FAS3020/FAS3050 may respond slowly to requests, exhibit poor
                 performance

    That's it. NOT ONE WORD ABOUT A VULNERABILITY OR A FIX. From reading
    that synopsis, if I weren't using NFS or a FAS3020/FAS3050, I probably
    wouldn't be very interested in applying the update, and my systems would
    remain vulnerable.

    You're releasing security fixes for an infrastructure product without
    telling your customers! Who do you think you are, Cisco?

    Almost as annoying: I went to view the NetApp pages linked above, and
    the site made me register. After registration, I'm told I'm not
    authorized to view the pages. (So why'd you want me to register?)

  • Next message: Bipin Gautam: "Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte"