Tuesday, March 17, 2020

ANOTHER SMB vulnerability? Not for ONTAP!

Well well well.   Imagine that.  Microsoft is announcing another vulnerability in SMB.

For those of you that missed it:
CVE-2020-0796 is a unique ID assigned to a Microsoft-specific vulnerability in their SMB v3.1.1 compression code. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

The question always arises: "Is ONTAP vulnerable?

Well....  what we do is take the vulnerability and assess it against ONTAP.  We make no assumptions and ensure that ONTAP is either not vulnerable or we log the vulnerability and fix it ASAP.  
Why is ONTAP not automatically vulnerable like Windows?  Doesn't it run SMB?   Well yes it does, but the code that runs ONTAP's SMB stack is proprietary NetApp code. It is a completely NetApp written stack.  ONTAP does not run or share any Microsoft SMB code.  If there are vulnerabilities in the Microsoft code, they are not necessarily in ONTAP code.  
There is, however, a possibility that the vulnerability exists in the protocol standard.  Any time there is a vulnerability in the implementation of a protocol it is possible that NetApp could make the same errors in the protocol implementation leading to a similar vulnerability. 

The bottom line:
For this particular vulnerability, it is in the SMB 3.1.1 compression feature implementation in Windows.  NetApp has determined that ONTAP is not vulnerable to this.  ONTAP does not support the SMB 3.1.1 compression feature and therefore is not vulnerable.

NOTE:   There is no need to post "not vulnerable" responses.  There will not be an official report that says ONTAP is not vulnerable.