Mailing List Archive

RPC Enumeration security finding
Hey there,

One of our customers had a pentester onsite who found the following issues with the NetApp filers there.

RPC Enumeration discovered
By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.

Note: Specific Target IPs are included in the "Detailed IP List."

nGuard recommends downloading the latest security patches from Microsoft.


Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
Re: RPC Enumeration security finding [ In reply to ]
I would say....

Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft

Get Outlook for iOS<https://aka.ms/o0ukef>

________________________________
From: toasters-bounces@teaparty.net on behalf of Alexander Griesser <agriesser@anexia-it.com>
Sent: Wednesday, July 24, 2019 12:51 AM
To: Toasters
Subject: RPC Enumeration security finding

Hey there,

One of our customers had a pentester onsite who found the following issues with the NetApp filers there.

RPC Enumeration discovered
By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.

Note: Specific Target IPs are included in the "Detailed IP List."
nGuard recommends downloading the latest security patches from Microsoft.

Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
RE: RPC Enumeration security finding [ In reply to ]
These scans generally look for common ports when notifying for vulnerabilities. SMB uses the same ports on Windows and ONTAP. But ONTAP doesn't have the same codeline as Microsoft, so this issue won't apply.

From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Tim McCarthy
Sent: Wednesday, July 24, 2019 7:22 AM
To: Alexander Windbichler <AGriesser@anexia-it.com>; Toasters <toasters@teaparty.net>
Subject: Re: RPC Enumeration security finding

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I would say....

Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft

Get Outlook for iOS<https://aka.ms/o0ukef>

________________________________
From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> on behalf of Alexander Griesser <agriesser@anexia-it.com<mailto:agriesser@anexia-it.com>>
Sent: Wednesday, July 24, 2019 12:51 AM
To: Toasters
Subject: RPC Enumeration security finding

Hey there,

One of our customers had a pentester onsite who found the following issues with the NetApp filers there.

RPC Enumeration discovered
By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.

Note: Specific Target IPs are included in the "Detailed IP List."
nGuard recommends downloading the latest security patches from Microsoft.

Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
AW: RPC Enumeration security finding [ In reply to ]
Thanks for all your feedback - this was my assumption too, just wanted to get some more "votes" on the false positive idea.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin <Justin.Parisi@netapp.com>
Gesendet: Mittwoch, 24. Juli 2019 15:09
An: Tim McCarthy <tmacmd@gmail.com>; Alexander Griesser <AGriesser@anexia-it.com>; Toasters <toasters@teaparty.net>
Betreff: RE: RPC Enumeration security finding

These scans generally look for common ports when notifying for vulnerabilities. SMB uses the same ports on Windows and ONTAP. But ONTAP doesn't have the same codeline as Microsoft, so this issue won't apply.

From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> <toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net>> On Behalf Of Tim McCarthy
Sent: Wednesday, July 24, 2019 7:22 AM
To: Alexander Windbichler <AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>>; Toasters <toasters@teaparty.net<mailto:toasters@teaparty.net>>
Subject: Re: RPC Enumeration security finding

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I would say....

Yeah sure that would affect a MICROSOFT box. However this is A FALSE POSITIVE as the target of inquiry is a NetApp ONTAP box and the diagnosis clearly thinks it is Microsoft

Get Outlook for iOS<https://aka.ms/o0ukef>

________________________________
From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> on behalf of Alexander Griesser <agriesser@anexia-it.com<mailto:agriesser@anexia-it.com>>
Sent: Wednesday, July 24, 2019 12:51 AM
To: Toasters
Subject: RPC Enumeration security finding

Hey there,

One of our customers had a pentester onsite who found the following issues with the NetApp filers there.

RPC Enumeration discovered
By sending a DUMP request to the portmapper, it is possible to enumerate the RPC services running on the remote port. Using this information, an attacker can connect and bind to each service by sending an RPC request to the remote port and exploit the host.

Note: Specific Target IPs are included in the "Detailed IP List."

nGuard recommends downloading the latest security patches from Microsoft.


Does anyone know what exactly the problem here is and if there are any tunables to change the behaviour on NetApp (Ontap9+) filers?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601