[NT] Network Appliance iSCSI Authentication Bypass

From: SecuriTeam (support_at_securiteam.com)
Date: 10/31/05 

To: list@securiteam.com
Date: 31 Oct 2005 08:57:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Network Appliance iSCSI Authentication Bypass
------------------------------------------------------------------------

SUMMARY

iSCSI is "a TCP protocol running over a well-known port, over which iSCSI
records are exchanged. Full-featured iSCSI sessions provide access to raw
disk blocks conveyed as SCSI messages inside iSCSI records. Security in an
iSCSI deployment is typically based on strong authentication, which proves
that an iSCSI client ('initiator') is allowed access to disk blocks on an
iSCSI server and target LUNs ('target' and 'LUN')".

Unauthenticated iSCSI Initiators can bypass iSCSI authentication on NetApp
Filers by manipulating the iSCSI Login Negotiation protocol. The impact of
this vulnerability is the negation of iSCSI security on affected NetApp
filers.

DETAILS

Vulnerable Systems:
 * Network Appliance Data ONTAP Operating System, Releases 6.4, 6.5, and
7.0

iSCSI authentication occurs via LOGINREQUEST and LOGINRESPONSE iSCSI
records, which are used to negotiate authentication parameters, including
the initiator, target, and mode of authentication. iSCSI "Login
Negotiation" occurs in 3 phases:

1. Security ("Start") mode, where the client and server verify their
identity.

2. Operational mode, where the client and server negotiate
on-security-related session parameters.

3. FullFeature mode, where the client and server exchange SCSI commands.

The problem we have observed is that an iSCSI clients can launch
negotiation attacks in which clients force servers to transition from
Security phase to Operational phase **without proving identity**.

To exploit this problem, we wrote a custom iSCSI client that short
circuits login negotiation, asserting an unchecked transition to
Operational mode. Affected Filers honor the client assertion, bypassing
authentication.

There is no known exploit code circulating for this vulnerability.

Data stored in iSCSI-mapped LUNs on affected Network Appliance Filers can
be read and altered by an attacker. Unmapped LUNS and LUNs mapped only to
Fibre Channel initiators are not vulnerability to this attack.

Vendor Response:
Network Appliance Data ONTAP 7.0.2 is a General Availability release:
 <http://now.netapp.com/NOW/cgi-bin/software>
http://now.netapp.com/NOW/cgi-bin/software

Release of this advisory was coordinated with Network Appliance. Network
Appliance has confirmed this vulnerability. For further information about
the vulnerability disclosed in this advisory, see
[NOW.NETAPP.COM BugsOnline] (
<http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359>
http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359).

ADDITIONAL INFORMATION

The information has been provided by <mailto:tqbf@matasano.com> Thomas H.
Ptacek.
The original article can be found at:
<http://www.matasano.com/advisories/netapp-iSCSI.txt>
http://www.matasano.com/advisories/netapp-iSCSI.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [Full-disclosure] RE: [NT] Microsoft Multiple E-Mail Client Address Spoofing Vulnerability
    ... As a security professional working for a Corporate Office the "Multiple ... E-Mail Client Address Vulnerability" (please see original advisory attached ... Outlook 2003 and Exchange 2003 as far as I could tell. ...
    (Full-Disclosure)
  • RE: Non Disclosure Agreements
    ... still contains known vulnerability YYY". ... > I have a potential client that wishes me to go to their ... > The customer cannot disclose vulns that I find in their ... > recognized corporate security certification track, ...
    (Security-Basics)
  • [NT] PuTTY and PSCP Multiple Heap Overflow Vulnerabilities
    ... Get your security news from a reliable source. ... PuTTY is a free implementation of Telnet and SSH for Win32 and Unix ... vulnerabilities and as a result execute arbitrary code at the client side. ... While PSCP is authenticating to the server this vulnerability can be ...
    (Securiteam)
  • [UNIX] PFinger Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Both client and server are vulnerable to a format string injection ... The client uses directly the data received from the server as the first ... Complete exploitation of this vulnerability will permit an attacker to ...
    (Securiteam)
  • Network Appliance iSCSI Authentication Bypass
    ... Unauthenticated iSCSI Initiators can bypass iSCSI authentication on ... security on affected NetApp filers. ... Data stored in iSCSI-mapped LUNs on affected Network Appliance Filers ...
    (Bugtraq)