Details of VAR-201903-0170

ID

VAR-201903-0170

CVE

CVE-2019-5490

TITLE

NetApp Service Processor Firmware vulnerabilities related to authorization, authority, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2019-003213

DESCRIPTION

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY. NetApp Service Processor Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NetAppServiceProcessor is a remote management device from NetApp Corporation of the United States. The product provides node remote management capabilities, including console redirection, logging and power control. An attacker could exploit this vulnerability to execute arbitrary commands. This issue affects the following products and versions: NetApp Service Processor versions 2.8, 3.7, 4.5, and 5.5 running on Clustered Data ONTAP 9.5, 9.4 and 9.3 NetApp Service Processor versions 2.5, 3.4, 3.4 patch1, 3.4 patch2, 4.2, 5.2, 4.2 patch1, 4.2 patch2, 5.2, and 5.2 patch1 running on Clustered Data ONTAP 9.2 NetApp Service Processor versions 2.4.1, 2.4.1 patch1, 3.3, 3.3 patch1, 3.3 patch2, 3.3 patch3, 3.3 patch4, 4.1,4.1 patch1, 4.1 patch2, 4.1 patch3, 4.1 patch4, 4.1 patch4, 4.1 patch5, 4.1 patch6, 5.1, 5.1 patch1, 5.1 patch2, and 5.1 patch3 running on Clustered Data ONTAP 9.1 NetApp Service Processor versions 2.4 and 3.2 running on Clustered Data ONTAP 9.0 NetApp Service Processor versions 2.3.2, 2.3.2 patch1, 2.3.2 patch2, 2.3.2 patch3, 3.1.2, 3.1.2 patch1, and 3.1.2 patch2 running on Clustered Data ONTAP 8.3 NetApp Service Processor versions 2.5, and 3.0.4 running on Clustered Data ONTAP 8.2

Trust: 2.52

sources: NVD: CVE-2019-5490 // JVNDB: JVNDB-2019-003213 // CNVD: CNVD-2019-15079 // BID: 107896 // VULMON: CVE-2019-5490

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-15079

AFFECTED PRODUCTS

vendor:	netapp	model:	service processor	scope:	eq	version:	3.1.2	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	3.0.4	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.4.1	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.3.2	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.2.5	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	5.5	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	5.2	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	5.1	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	4.5	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	4.2	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	4.1	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	3.7	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	3.4	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	3.3	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	3.2	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.8	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.5	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.4	Trust: 1.3
vendor:	netapp	model:	service processor	scope:	eq	version:	2.x to 5.x	Trust: 0.8
vendor:	netapp	model:	service processor	scope:	eq	version:	5.*	Trust: 0.6
vendor:	netapp	model:	service processor	scope:	eq	version:	4.*	Trust: 0.6
vendor:	netapp	model:	service processor	scope:	eq	version:	3.*	Trust: 0.6
vendor:	netapp	model:	service processor	scope:	eq	version:	2.*	Trust: 0.6
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	2.4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	eq	version:	2.3.2	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	2.3.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	2.3.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	5.2	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	eq	version:	5.1	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	5.1	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	5.1	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	4.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	4.2	Trust: 0.3
vendor:	netapp	model:	service processor patch6	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch5	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch4	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	3.4	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	3.4	Trust: 0.3
vendor:	netapp	model:	service processor patch4	scope:	eq	version:	3.3	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	eq	version:	3.3	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	eq	version:	3.3	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	eq	version:	3.3	Trust: 0.3
vendor:	netapp	model:	data ontap operating in 7-mode	scope:	eq	version:	0	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.5	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.4	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.3	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.2	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.1	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	9.0	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	8.3	Trust: 0.3
vendor:	netapp	model:	clustered data ontap	scope:	eq	version:	8.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	5.5	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	ne	version:	5.2	Trust: 0.3
vendor:	netapp	model:	service processor patch4	scope:	ne	version:	5.1	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	4.5	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	ne	version:	4.2	Trust: 0.3
vendor:	netapp	model:	service processor patch7	scope:	ne	version:	4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	3.7	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	ne	version:	3.4	Trust: 0.3
vendor:	netapp	model:	service processor patch5	scope:	ne	version:	3.3	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	3.2	Trust: 0.3
vendor:	netapp	model:	service processor patch3	scope:	ne	version:	3.1.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	2.8	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	2.5	Trust: 0.3
vendor:	netapp	model:	service processor patch2	scope:	ne	version:	2.4.1	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	2.4	Trust: 0.3
vendor:	netapp	model:	service processor patch4	scope:	ne	version:	2.3.2	Trust: 0.3
vendor:	netapp	model:	service processor patch1	scope:	ne	version:	2.2.5	Trust: 0.3
vendor:	netapp	model:	clustered data ontap 9.5p1	scope:	ne	version:	-	Trust: 0.3
vendor:	netapp	model:	clustered data ontap 9.4p6	scope:	ne	version:	-	Trust: 0.3
vendor:	netapp	model:	clustered data ontap 9.3p11	scope:	ne	version:	-	Trust: 0.3
vendor:	netapp	model:	clustered data ontap 9.1p17	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2019-15079 // BID: 107896 // JVNDB: JVNDB-2019-003213 // NVD: CVE-2019-5490

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-5490
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-5490
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-15079
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201903-293
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2019-5490
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-5490
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-15079
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-5490
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-15079 // VULMON: CVE-2019-5490 // JVNDB: JVNDB-2019-003213 // CNNVD: CNNVD-201903-293 // NVD: CVE-2019-5490

PROBLEMTYPE DATA

problemtype:	CWE-1188	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2019-003213 // NVD: CVE-2019-5490

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-293

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201903-293

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003213

PATCH

title:	NTAP-20190305-0001	url:	https://security.netapp.com/advisory/ntap-20190305-0001/	Trust: 0.8
title:	Patch for NetAppServiceProcessor permission and access control issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/161977	Trust: 0.6
title:	NetApp Service Processor Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89923	Trust: 0.6

sources: CNVD: CNVD-2019-15079 // JVNDB: JVNDB-2019-003213 // CNNVD: CNNVD-201903-293

EXTERNAL IDS

db:	NVD	id:	CVE-2019-5490	Trust: 3.4
db:	LENOVO	id:	LEN-26771	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-003213	Trust: 0.8
db:	CNVD	id:	CNVD-2019-15079	Trust: 0.6
db:	CNNVD	id:	CNNVD-201903-293	Trust: 0.6
db:	BID	id:	107896	Trust: 0.3
db:	VULMON	id:	CVE-2019-5490	Trust: 0.1

sources: CNVD: CNVD-2019-15079 // VULMON: CVE-2019-5490 // BID: 107896 // JVNDB: JVNDB-2019-003213 // CNNVD: CNNVD-201903-293 // NVD: CVE-2019-5490

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20190305-0001/	Trust: 2.0
url:	http://support.lenovo.com/us/en/solutions/len-26771	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5490	Trust: 1.4
url:	https://vigilance.fr/vulnerability/netapp-data-ontap-code-execution-via-netapp-service-processor-privileged-account-28695	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5490	Trust: 0.8
url:	http://www.netapp.com/us/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/1188.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2019-15079 // VULMON: CVE-2019-5490 // BID: 107896 // JVNDB: JVNDB-2019-003213 // CNNVD: CNNVD-201903-293 // NVD: CVE-2019-5490

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 107896

SOURCES

db:	CNVD	id:	CNVD-2019-15079
db:	VULMON	id:	CVE-2019-5490
db:	BID	id:	107896
db:	JVNDB	id:	JVNDB-2019-003213
db:	CNNVD	id:	CNNVD-201903-293
db:	NVD	id:	CVE-2019-5490

LAST UPDATE DATE

2024-11-23T22:00:06.504000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-15079	date:	2019-05-22T00:00:00
db:	VULMON	id:	CVE-2019-5490	date:	2020-08-24T00:00:00
db:	BID	id:	107896	date:	2019-03-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-003213	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201903-293	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-5490	date:	2024-11-21T04:45:02.493

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-15079	date:	2019-05-22T00:00:00
db:	VULMON	id:	CVE-2019-5490	date:	2019-03-21T00:00:00
db:	BID	id:	107896	date:	2019-03-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-003213	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201903-293	date:	2019-03-08T00:00:00
db:	NVD	id:	CVE-2019-5490	date:	2019-03-21T19:29:00.580