CVE-2023-27317 - OpenCVE

ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a vulnerability which will cause all SAS-attached FIPS 140-2 drives to become unlocked after a system reboot or power cycle or a single SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This could lead to disclosure of sensitive information to an attacker with physical access to the unlocked drives.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Ontap

Configuration 1 [-]

OR	cpe:2.3:a:netapp:ontap:9.12.1:p8::::::
	cpe:2.3:a:netapp:ontap:9.13.1:p4::::::
	cpe:2.3:a:netapp:ontap:9.13.1:p5::::::

No data.

References

Link	Providers
https://security.netapp.com/advisory/NTAP-20231215-0001/

History

No history.

MITRE

Status: PUBLISHED

Assigner: netapp

Published: 2023-12-15T22:59:11.093Z

Updated: 2024-08-02T12:09:43.287Z

Reserved: 2023-02-28T17:20:57.462Z

Link: CVE-2023-27317

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-15T23:15:07.140

Modified: 2023-12-19T20:00:14.327

Link: CVE-2023-27317

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27317", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "state": "PUBLISHED", "assignerShortName": "netapp", "dateReserved": "2023-02-28T17:20:57.462Z", "datePublished": "2023-12-15T22:59:11.093Z", "dateUpdated": "2024-08-02T12:09:43.287Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ONTAP 9", "vendor": "NetApp", "versions": [{"status": "affected", "version": "9.12.1P8"}, {"status": "affected", "version": "9.13.1P4"}, {"status": "affected", "version": "9.13.1P5"}]}], "datePublic": "2023-12-15T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a \nvulnerability which will cause all SAS-attached FIPS 140-2 drives to \nbecome unlocked after a system reboot or power cycle or a single \nSAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This\n could lead to disclosure of sensitive information to an attacker with \nphysical access to the unlocked drives. \n\n"}], "value": "ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a \nvulnerability which will cause all SAS-attached FIPS 140-2 drives to \nbecome unlocked after a system reboot or power cycle or a single \nSAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This\n could lead to disclosure of sensitive information to an attacker with \nphysical access to the unlocked drives. \n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2023-12-15T22:59:11.093Z"}, "references": [{"url": "https://security.netapp.com/advisory/NTAP-20231215-0001/"}], "source": {"advisory": "NTAP-20231215-0001", "discovery": "UNKNOWN"}, "title": "Information Disclosure Vulnerability in ONTAP 9 ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20231215-0001/"}, {"url": "https://security.netapp.com/advisory/NTAP-20231215-0001/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:43.287Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap:9.12.1:p8:*:*:*:*:*:*", "matchCriteriaId": "2D9A4188-F120-4A47-BF32-5114D2782225", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:ontap:9.13.1:p4:*:*:*:*:*:*", "matchCriteriaId": "0FD66569-CEF3-480B-9234-DB0A32F20667", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:ontap:9.13.1:p5:*:*:*:*:*:*", "matchCriteriaId": "54AABC18-1136-438F-AA7E-4D408347224D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a \nvulnerability which will cause all SAS-attached FIPS 140-2 drives to \nbecome unlocked after a system reboot or power cycle or a single \nSAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This\n could lead to disclosure of sensitive information to an attacker with \nphysical access to the unlocked drives. \n\n"}, {"lang": "es", "value": "ONTAP 9 versiones 9.12.1P8, 9.13.1P4 y 9.13.1P5 son susceptibles a una vulnerabilidad que har\u00e1 que todas las unidades FIPS 140-2 conectadas a SAS se desbloqueen despu\u00e9s de reiniciar el sistema o reiniciar el sistema o un \u00fanico FIPS 140 conectado a SAS. -2 unidad para desbloquearse despu\u00e9s de la reinserci\u00f3n. Esto podr\u00eda dar lugar a la divulgaci\u00f3n de informaci\u00f3n confidencial a un atacante con acceso f\u00edsico a las unidades desbloqueadas."}], "id": "CVE-2023-27317", "lastModified": "2023-12-19T20:00:14.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-alert@netapp.com", "type": "Secondary"}]}, "published": "2023-12-15T23:15:07.140", "references": [{"source": "security-alert@netapp.com", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/NTAP-20231215-0001/"}], "sourceIdentifier": "security-alert@netapp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-alert@netapp.com", "type": "Secondary"}]}