Storage vulnerabilities
At the time of writing this book, there were no publicized vulnerabilities for any of the major SAN or NAS vendors specific to the access protocols' Fiber Channel or iSCSI. The following two vulnerabilities are for storage vendor management, listed in the National Vulnerability Database (http://nvd.nist.gov).
A number of the vulnerabilities listed specific to storage center around some form of management and authentication information being sent or stored in clear text:
Note
National Cyber Awareness System
Vulnerability summary for CVE-2013-3278
Original release date: 10/01/2013
Last revised: 10/02/2013
Source: US-CERT/NIST
Overview
EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file.
Impact
CVSS severity (Version 2.0):
CVSS v2 base score: 4.9 (MEDIUM) (AV:L/AC:L/Au:N/C:C/I:N/A:N) (legend)
Impact subscore: 6.9
Exploitability subscore: 3.9
CVSS Version 2 metrics:
Access vector: Locally exploitable
Access complexity: Low
Authentication: Not required to exploit
Impact type: This allows the unauthorized disclosure of information
Another example from Hitachi shows vulnerability in the Network Node Manager that allows remote attacks:
Note
National Cyber Awareness System
Vulnerability summary for CVE-2012-5001
Original release date: 09/19/2012
Last revised: 09/20/2012
Source: US-CERT/NIST
Overview
Multiple unspecified vulnerabilities in Hitachi JP1/Cm2/Network Node Manager i before 09-50-03 allow remote attackers to cause a denial of service and possibly execute the arbitrary code via unspecified vectors.
Impact
CVSS severity (Version 2.0):
CVSS v2 base score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact subscore: 6.4
Exploitability subscore: 10.0
CVSS Version 2 metrics:
Access vector: Network exploitable
Access complexity: Low
**NOTE: Access complexity is scored low due to insufficient information
Authentication: Not required to exploit
Impact type: This allows unauthorized disclosure of information, unauthorized modification, and the disruption of service
Both of these example vulnerabilities are in the management layer of the storage device, not within the data stream specific to the protocol transferring information between the SAN or NAS drivers and the hypervisor.
