Vulnerability CVE-2021-27001 - CERT Civis.Net

Vulnerability Name:

CVE-2021-27001 (CCN-211754)

Assigned:

2021-10-18

Published:

2021-10-18

Updated:

2022-07-12

Summary:

Clustered Data ONTAP versions 9.x prior to 9.5P18, 9.6P16, 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow an authenticated privileged local attacker to arbitrarily modify Compliance-mode WORM data prior to the end of the retention period.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

4.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)
3.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

3.8 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2021-27001

Source: XF
Type: UNKNOWN
netapp-cve202127001-sec-bypass(211754)

Source: MISC
Type: Vendor Advisory
https://security.netapp.com/advisory/ntap-20211018-0001

Source: CCN
Type: NetApp Advisory Number NTAP-20211018-0001
CVE-2021-27001 Arbitrary Data Modification Vulnerability in Clustered Data ONTAP

Vulnerable Configuration:

Configuration 1:

cpe:/o:netapp:clustered_data_ontap:9.6:p3:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p1:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p7:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p8:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:-:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p4:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p6:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p8:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p9:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:-:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p12:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p13:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p14:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p15:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p12:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p15:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.6:p9:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:-:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:p12:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:p13:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:p14:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:p7:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:p9:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.7:rc1:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.8:-:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.8:p3:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.8:p5:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:*:*:*:*:*:*:*:* (Version >= 9.0 and <= 9.4)

OR cpe:/o:netapp:clustered_data_ontap:9.5:p16:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.5:p17:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.9.1:-:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:netapp:clustered_data_ontap:9.0:*:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.1:*:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.3:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.4:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.2:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.6:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.5:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.7:-:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:9.7:p7:*:*:*:*:*:*

OR cpe:/o:netapp:clustered_data_ontap:9.8:-:*:*:*:*:*:*

Denotes that component is vulnerable