Storage vulnerabilities

At the time of writing this book, there were no publicized vulnerabilities for any of the major SAN or NAS vendors specific to the access protocols' Fiber Channel or iSCSI. The following two vulnerabilities are for storage vendor management, listed in the National Vulnerability Database (http://nvd.nist.gov).

A number of the vulnerabilities listed specific to storage center around some form of management and authentication information being sent or stored in clear text:

Note

National Cyber Awareness System

Vulnerability summary for CVE-2013-3278

Original release date: 10/01/2013

Last revised: 10/02/2013

Source: US-CERT/NIST

Overview

EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file.

Impact

CVSS severity (Version 2.0):

CVSS v2 base score: 4.9 (MEDIUM) (AV:L/AC:L/Au:N/C:C/I:N/A:N) (legend)

Impact subscore: 6.9

Exploitability subscore: 3.9

CVSS Version 2 metrics:

Access vector: Locally exploitable

Access complexity: Low

Authentication: Not required to exploit

Impact type: This allows the unauthorized disclosure of information

Another example from Hitachi shows vulnerability in the Network Node Manager that allows remote attacks:

Note

National Cyber Awareness System

Vulnerability summary for CVE-2012-5001

Original release date: 09/19/2012

Last revised: 09/20/2012

Source: US-CERT/NIST

Overview

Multiple unspecified vulnerabilities in Hitachi JP1/Cm2/Network Node Manager i before 09-50-03 allow remote attackers to cause a denial of service and possibly execute the arbitrary code via unspecified vectors.

Impact

CVSS severity (Version 2.0):

CVSS v2 base score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact subscore: 6.4

Exploitability subscore: 10.0

CVSS Version 2 metrics:

Access vector: Network exploitable

Access complexity: Low

**NOTE: Access complexity is scored low due to insufficient information

Authentication: Not required to exploit

Impact type: This allows unauthorized disclosure of information, unauthorized modification, and the disruption of service

Both of these example vulnerabilities are in the management layer of the storage device, not within the data stream specific to the protocol transferring information between the SAN or NAS drivers and the hypervisor.