[NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption

From: SecuriTeam (support_at_securiteam.com)
Date: 09/19/04

  • Next message: SecuriTeam: "[UNIX] Snitz Forums 2000 HTTP Response Splitting" 
    To: list@securiteam.com
Date: 19 Sep 2004 16:22:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Engenio/LSI Logic Controllers DoS/Data Corruption
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.engenio.com/> Engenio (formerly LSI Logic) builds
    high-performance SATA and Fiber Channel OEM storage systems for
    data-intensive environment. This hardware is sold with different covers by
    IBM (FastT series), Storagetek (D series), SGI and Teradata.

    Storagetek and IBM FastT controllers can be frozen with a few specially
    crafted TCP packets. The IP stack becomes unresponsive and administration
    through Santricity/IBM Storage Manager becomes impossible.

    Under some circumstances, unrecoverable corruption of the stored data will
    happen. This attack doesn't require any authentication and there is no
    trace in any log file. The controllers are vulnerable even at
    installation-time.

    DETAILS

    Vulnerable Systems:
     * Storagetek D280
     * IBM FastT 100
       * Firmware version 3.1 and prior

    Immune Systems:
     * Storagetek D280
     * IBM FastT 100
       * Firmware version 3.2 or newer

    Solution:
    The vendor has issued a new firmware, 3.2, which addresses this issue.

    Vendors status:
    After successful data corruption of a D280 storage system, Storagetek was
    informed on Jun 14. They said they will publish details and release a
    patch the week after. They didn't.

    In order to give a chance to all vendors to get a fix, Jedi/Sector One
    sent details and a working exploit to the Engenio/LSI Logic support
    <support@lsil.com> on Jun 21. Their tech support is awesome. [about the
    attached C source code]:
    "What format is this image in? I cannot open it. Can you please send it in
    another format?". The ticket was then closed "it's a Storagetek issue".

    On Jun 25, the global technical services manager reopened the ticket,
    asking some tech people whether that issue was being looked at. Nothing
    happened since. Jedi/Sector One also sent them a fix for a bug in
    Santricity but there was no answer either.

    Later, Storagetek came back to Jedi/Sector One. They confirmed the
    vulnerability and they were able to reproduce it on their Brocade
    fiber-channel switches as well. They said the bug was actually in the
    embedded operating system, VxWorks.

    It's why Jedi/Sector One wrote to the Brocade support
    <support@brocade.com> on Jul 6, with details and the exploit. It was
    assigned case number RQST00000030729 but Jedi/Sector One didn't get
    anything except a generic message asking for a serial number in order to
    verify the service entitlement. The email address of his support contact
    <mzhang@brocade.com> doesn't even work any more.

    Jedi/Sector One wrote to Windriver with the same result: "please provide
    your license number". This is frustrating. I'm not asking for support,
    Jedi/Sector One is not even a direct customer, he just want to _help_, but
    no, this is impossible, you have to pay to help.

    On Jun 30, Jedi/Sector One wrote to SGI just in case their hardware would
    also be vulnerable. Teradata web site is a total mess and Jedi/Sector One
    wasn't able to find anything related to their storage systems. The online
    form for security alert on the SGI web site sent a mail to
    <security-alert@csd.sgi.com> but the mail bounced from
    internal-mail-relay.corp.sgi.com with an internal error the week after:
    "451 relay.engt.sgi.com: Name server timeout".

    IBM was contacted the same day, with details and the exploit. The AIX
    security contact is a very nice guy but it looks like he can't find anyone
    at IBM that could listen to Totalstorage-related security issues.

    The company Jedi/Sector One is working for just bought a newly
    manufactured IBM FastT 100. It could be crashed the same way as the
    Storagetek D280 controller, so almost all Engenio-based storage systems
    probably still share the same security issue.

    Multiple emails were sent later to those vendors with the hope of having
    some news about that issue, but it was a waste of time. At this point
    Jedi/Sector One guess there is nothing else that can be done.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:j@pureftpd.org> Jedi/Sector
    One.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Snitz Forums 2000 HTTP Response Splitting"