CVE-2024-21985
📋 TL;DR
This vulnerability in NetApp ONTAP allows authenticated users with multiple remote accounts to perform REST API actions beyond their intended privileges. Affected users can view configuration details, modify settings, and potentially cause Denial of Service. This affects ONTAP 9 versions prior to specific patch releases.
💻 Affected Systems
- NetApp ONTAP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker with multiple accounts could modify critical settings causing system-wide Denial of Service, potentially disrupting storage operations.
Likely Case
Privilege escalation allowing users to view sensitive configuration details or modify limited settings they shouldn't have access to.
If Mitigated
Minimal impact with proper access controls, monitoring, and single-account policies in place.
🎯 Exploit Status
Requires authenticated access with multiple accounts and knowledge of REST API endpoints. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ONTAP 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10, or 9.13.1P4
Vendor Advisory: https://security.netapp.com/advisory/ntap-20240126-0001/
Restart Required: Yes
Instructions:
1. Check current ONTAP version. 2. Download appropriate patch from NetApp Support Site. 3. Apply patch following NetApp upgrade procedures. 4. Reboot system as required. 5. Verify patch installation.
🔧 Temporary Workarounds
Restrict Account Creation
allLimit users to single remote accounts to prevent exploitation requiring multiple accounts.
# Review and enforce single-account policies for ONTAP users
# Use: security login create/modify commands to manage accounts
Restrict REST API Access
allLimit REST API access to trusted networks and implement strict authentication controls.
# Configure network restrictions for REST API endpoints
# Use: network interface modify commands
🧯 If You Can't Patch
- Implement strict access controls limiting users to single remote accounts
- Monitor REST API logs for unusual privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check ONTAP version using 'system node show -version' and compare against affected versions list.Check Version:
system node show -versionVerify Fix Applied:
Verify version is 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10, or 9.13.1P4 or later using 'system node show -version'.📡 Detection & Monitoring
Log Indicators:
- Multiple account logins from same user
- REST API calls performing actions beyond user's normal role
- Configuration changes from non-admin accounts
Network Indicators:
- Unusual REST API traffic patterns
- Multiple authentication requests from same source
SIEM Query:
source="ontap" AND (event_type="authentication" AND user_count>1) OR (event_type="api_call" AND privilege_escalation=true)