NetApp ONTAP Storage Systems Vulnerability Allows Privilege Escalation

CVECVE-2024-21985
CVSScvssV3_1: 7.6
SourceCVE-2024-21985

NetApp ONTAP storage systems were found to have a vulnerability that could allow authenticated users to perform actions beyond their intended privileges if they had multiple remote accounts with different roles.

ONTAP is NetApp’s data management software that provides file and block storage services. Versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 were affected.

The vulnerability stemmed from how ONTAP handled authentication and authorization when REST API requests were made. An attacker who had accounts with different access levels could potentially view limited configuration details, metrics or modify some settings meant for higher privileged accounts. This could result in denial of service for legitimate users.

To exploit it, the attacker would need valid credentials for more than one account on the ONTAP system, with at least one having higher privileges than the other. They could then switch between the accounts to perform unauthorized actions via the REST API.

NetApp has released updates to fix the issue. Administrators should apply the latest patches to their ONTAP versions to close this security hole. Users are also advised to review their account access policies and ensure strong passwords are used for all ONTAP administrative accounts. Regular audits of login activity can help detect any unauthorized access attempts arising from this vulnerability.

References