SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Data ONTAP OS Vendors:  Network Appliance
Network Appliance Data ONTAP iSCSI Security Controls Can Be Bypassed
SecurityTracker Alert ID:  1015103
SecurityTracker URL:  http://securitytracker.com/id?1015103
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 25 2005
Impact:  Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): Network Appliance Data ONTAP Operating System, Releases 6.4, 6.5, and 7.0.
Description:  A vulnerability was reported in the Network Appliance Data ONTAP operating system. NetApp filer iSCSI security controls can be bypassed.

A remote user (iSCSI client) can manipulate the iSCSI authentication protocol to gain access to the target NetApp filer without authenticating. As a result, the remote user can read and modify iSCSI-mapped logical unit numbers (LUNs) on the target system.

Unmapped LUNS are not affected. LUNs mapped only to Fibre Channel initiators are not affected.

Thomas H. Ptacek of Matasano Security reported this vulnerability.

The original advisory is available at:

http://www.matasano.com/advisories/netapp-iSCSI.txt
Impact:  A remote iSCSI client can bypass iSCSI authentication on the target NetApp filer to access disk blocks.
Solution:  The vendor has issued a fixed version (Data ONTAP 7.0.2), available at:

http://now.netapp.com/NOW/cgi-bin/software

The vendor's advisory is available at:

http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359
Vendor URL:  www.netapp.com/ (Links to External Site)
Cause:  Authentication error
Reported By:  advisories@matasano.com
Message History:   None.

 Source Message Contents
Date:  Tue, 25 Oct 2005 06:21:15 -0400
From:  advisories@matasano.com
Subject:  [Full-disclosure] Network Appliance iSCSI Authentication Bypass

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Security Advisory: Network Appliance iSCSI Authentication Bypass

## Origin Date: Wed Aug 3 2005

## Publication Date: Mon Oct 24 2005

## Synopsis

Unauthenticated iSCSI Initiators can bypass iSCSI authentication on
NetApp Filers by manipulating the iSCSI Login Negotiation
protocol. The impact of this vulnerability is the negation of iSCSI
security on affected NetApp filers.

## Details

### Background

iSCSI is a TCP protocol running over a well-known port, over which
iSCSI records are exchanged. Full-featured iSCSI sessions provide
access to raw disk blocks conveyed as SCSI messages inside iSCSI
records. Security in an iSCSI deployment is typically based on strong
authentication, which proves that an iSCSI client ("initiator") is
allowed access to disk blocks on an iSCSI server and target LUNs
("target" and "LUN").

### Vulnerability

iSCSI authentication occurs via LOGINREQUEST and LOGINRESPONSE iSCSI
records, which are used to negotiate authentication parameters,
including the initiator, target, and mode of authentication. iSCSI
"Login Negotiation" occurs in 3 phases: 

1.    Security ("Start") mode, where the client and server verify their
    identity.

2.    Operational mode, where the client and server negotiate
    non-security-related session parameters.

3.    FullFeature mode, where the client and server exchange SCSI
    commands. 

The problem we have observed is that an iSCSI clients can launch
negotiation attacks in which clients force servers to transition from
Security phase to Operational phase **without proving identity**.

To exploit this problem, we wrote a custom iSCSI client that short
circuits login negotiation, asserting an unchecked transition to
Operational mode. Affected Filers honor the client assertion, bypassing
authentication.

There is no known exploit code circulating for this vulnerability.

### Impact

Data stored in iSCSI-mapped LUNs on affected Network Appliance Filers
can be read and altered by an attacker. Unmapped LUNS and LUNs mapped
only to Fibre Channel initiators are not vulnerability to this attack.

### Target

Network Appliance Data ONTAP Operating System, Releases 6.4, 6.5, and
7.0.

### Vendor Response

Network Appliance Data ONTAP 7.0.2 is a General Availability release: 
http://now.netapp.com/NOW/cgi-bin/software


Release of this advisory was coordinated with Network
Appliance. Network Appliance has confirmed this vulnerability. For
further information about the vulnerability disclosed in this
advisory, see
[NOW.NETAPP.COM BugsOnline](http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359).

## Origin

Thomas H. Ptacek, Matasano Security 

tqbf _at_ matasano.com

For more information on this advisory, please contact

advisories _at_ matasano.com

http://www.matasano.com/advisories/netapp-iSCSI.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDXVXc9HF8IN5vKKkRAjhSAKCwFOc+hfquaCzAt4Tta8COy0cb3gCePw7s
/xsX/6qNLZpOAT2ySApgtNE=
=kdhZ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC