Summary
Multiple NetApp products incorporate OpenSSH. OpenSSH versions 7.7 through 7.9 and 8.x before 8.1 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
We use OpenSSH(7.7 & 8.1) OS: Windows Server 2019 Standard. From time to time, the service hangs - although the state of the service is running (in service management), it stops listening on port 22. In some cases, when trying to connect using telnet, we get a 'black screen' without the local version string.
Impact
- SSH (Secure Shell) is a protocol which facilitates secure communications between two systems using a client-server architecture and allows users to log in to server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
- OpenSSH 7.7/7.7p1 (2018-04-02) OpenSSH 7.7 was released on 2018-04-02. It is available from the mirrors listed at OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
Vulnerability Scoring Details
CVE | Score | Vector |
---|---|---|
CVE-2019-16905 | 9.8 (CRITICAL) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Exploitation and Public Announcements
Openssh 7.7 Price
NetApp is aware of public discussion of this vulnerability.
References
Affected Products
- NetApp SteelStore Cloud Integrated Storage
Products Under Investigation
- NetApp Cloud Backup (formerly AltaVault)
- NetApp SolidFire Baseboard Management Controller (BMC)
Products Not Affected
- 7-Mode Transition Tool
- AFF Baseboard Management Controller (BMC) - A700s
- ATTO FibreBridge
- Active IQ Unified Manager (formerly OnCommand Unified Manager) for Linux 7.3 and above
- Active IQ Unified Manager (formerly OnCommand Unified Manager) for VMware vSphere 9.5 and above
- Active IQ Unified Manager (formerly OnCommand Unified Manager) for Windows 7.3 and above
- Active IQ mobile app
- Brocade Fabric Operating System Firmware
- Brocade Network Advisor Software
- Brocade SAN Navigator (SANnav)
- Cloud Insights Telegraf Agent
- Cloud Volumes ONTAP Mediator
- Clustered Data ONTAP
- Clustered Data ONTAP Antivirus Connector
- Data ONTAP operating in 7-Mode
- E-Series SANtricity OS Controller Software 11.x
- E-Series SANtricity Storage Manager
- E-Series SANtricity Web Services (REST API) for Web Services Proxy
- Element HealthTools
- Element Plug-in for vCenter Server
- FAS/AFF BIOS
- FAS/AFF Baseboard Management Controller (BMC)
- Host Utilities - SAN for Linux
- Host Utilities - SAN for Windows
- MAX Data
- MetroCluster Tiebreaker for clustered Data ONTAP
- NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
- NetApp Converged Systems Advisor Agent
- NetApp E-Series Performance Analyzer
- NetApp HCI Baseboard Management Controller (BMC)
- NetApp HCI Baseboard Management Controller (BMC) - H300S/H500S/H700S/H300E/H500E/H700E/H410S
- NetApp HCI Compute Node (Bootstrap OS)
- NetApp HCI Compute Node BIOS
- NetApp HCI Storage Nodes
- NetApp Manageability SDK
- NetApp NFS Plug-in for VMware VAAI
- NetApp Plug-in for Symantec NetBackup
- NetApp SANtricity Cloud Connector
- NetApp SANtricity SMI-S Provider
- NetApp SMI-S Provider
- NetApp Service Level Manager
- NetApp SolidFire & HCI Management Node
- NetApp SolidFire & HCI Storage Node (Element Software)
- NetApp SolidFire Plug-in for vRealize Orchestrator (SolidFire vRO)
- NetApp Storage Encryption
- NetApp VASA Provider for Clustered Data ONTAP 7.2 and above
- ONTAP Select Deploy administration utility
- OnCommand API Services
- OnCommand Cloud Manager
- OnCommand Insight
- OnCommand System Manager 3.x
- OnCommand System Manager 9.x
- OnCommand Unified Manager for 7-Mode (core package)
- OnCommand Workflow Automation
- Open Systems SnapVault Agent
- RAID Controller CTS2600 Legacy Engenio
- SANtricity Unified Manager
- SAS Firmware
- Service Processor
- Single Mailbox Recovery
- Snap Creator Framework
- SnapCenter
- SnapCenter Plug-in for VMware vSphere
- SnapDrive for Unix
- SnapDrive for Windows
- SnapManager for Exchange
- SnapManager for Hyper-V
- SnapManager for MS SQL
- SnapManager for Oracle
- SnapManager for SAP
- SnapManager for Sharepoint
- SolidFire Storage Replication Adapter
- Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above
- Storage Replication Adapter for Clustered Data ONTAP for Windows 7.2 and above
- Storage Services Connector
- StorageGRID (formerly StorageGRID Webscale)
- StorageGRID Baseboard Management Controller (BMC)
- StorageGRID9 (9.x and prior)
- System Setup
- Trident
- Virtual Storage Console for VMware vSphere 7.2 and above
Software Versions and Fixes
NetApp's currently available patches are listed below.
Product | First Fixed in Release |
---|---|
NetApp SteelStore Cloud Integrated Storage | NetApp SteelStore Cloud Integrated Storage has no plans to address this vulnerability. See the EOA announcement for more information. |
Workarounds
None at this time.
Obtaining Software Fixes
Software fixes will be made available through the NetApp Support website in the Software Download section.
Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.
Contact Information
Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:
Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)
Status of This Notice
Interim.
Openssh 7.7p1
NetApp will continue to update this advisory as additional information becomes available.
This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.
This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20191024-0003
Revision History
Revision # | Date | Comments |
---|---|---|
1.0 | 20191024 | Initial Public Release |
2.0 | 20191028 | AFF Baseboard Management Controller (BMC) - A700s moved to Products Not Affected |
3.0 | 20191101 | FAS/AFF Baseboard Management Controller (BMC) and Service Processor moved to Products Not Affected |
4.0 | 20191106 | OnCommand Unified Manager for 7-Mode (core package) moved to Products Not Affected |
5.0 | 20200207 | NetApp HCI Baseboard Management Controller (BMC) moved to Products Not Affected |
6.0 | 20200901 | NetApp SteelStore Cloud Integrated Storage moved to Won't Fix status |
This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.
-->OpenSSH is the open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems.OpenSSH has been added to Windows as of autumn 2018, and is included in Windows 10 and Windows Server 2019.
SSH is based on a client-server architecture where the system the user is working on is the client and the remote system being managed is the server.OpenSSH includes a range of components and tools designed to provide a secure and straightforward approach to remote system administration, including:
- sshd.exe, which is the SSH server component that must be running on the system being managed remotely
- ssh.exe, which is the SSH client component that runs on the user's local system
- ssh-keygen.exe generates, manages and converts authentication keys for SSH
- ssh-agent.exe stores private keys used for public key authentication
- ssh-add.exe adds private keys to the list allowed by the server
- ssh-keyscan.exe aids in collecting the public SSH host keys from a number of hosts
- sftp.exe is the service that provides the Secure File Transfer Protocol, and runs over SSH
- scp.exe is a file copy utility that runs on SSH
Documentation in this section focuses on how OpenSSH is used on Windows, including installation, and Windows-specific configuration and use cases. Here are the topics:
Additional detailed documentation for common OpenSSH features is available online at OpenSSH.com.
The master OpenSSH open source project is managed by developers at the OpenBSD Project.The Microsoft fork of this project is in GitHub.Feedback on Windows OpenSSH is welcomed and can be provided by creating GitHub issues in our OpenSSH GitHub repo.