Priority: ● High
Status: In Progress- Undergoing Analysis
First Published: September 26, 2023
Advisory Version: [1.0]
A vulnerability exists in the SMB/NETBIOS implementation on legacy versions of the Windows and Windows NT/2000 operating systems. In summary, if an SMB share that has no access control is detected, on unpatched versions of these operating systems, access to the entire hard drive could be allowed. In Windows NT, it is common to find shares with all access enabled, since this is the default setting when a share is created. It is best to explicitly set the access control list on shares from the outset. If this vulnerability was detected on a version of Windows NT prior to Service Pack 3 (SP3), an attacker can use shares to cause the system to crash.
The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.
|Fixed Release Version
HCP is not vulnerable by default and is working as designed.
By default, at the namespace level, only Authenticated Access is allowed. A user would have to select the "Anonymous access only" option to enable this vulnerability.
The recommended mitigation action for a customer is to go through all existing namespaces and make sure no namespaces are using “Enable CIFS” and “Anonymous access only” from the Tenant Management Console. In TMC, the namespaces with anonymous access have an alert icon with the hover text “Anonymous access allowed”. So the customer only needs to expand those namespaces with that alert.
Products Confirmed Not Vulnerable
At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.