|
|
|
|
| |
Engenio (formerly LSI Logic) builds high-performance SATA and Fiber Channel OEM storage systems for data-intensive environment. This hardware is sold with different covers by IBM (FastT series), Storagetek (D series), SGI and Teradata.
Storagetek and IBM FastT controllers can be frozen with a few specially crafted TCP packets. The IP stack becomes unresponsive and administration through Santricity/IBM Storage Manager becomes impossible.
Under some circumstances, unrecoverable corruption of the stored data will happen. This attack doesn't require any authentication and there is no trace in any log file. The controllers are vulnerable even at installation-time. |
| |
Credit:
The information has been provided by Jedi/Sector One.
|
| |
Vulnerable Systems:
* Storagetek D280
* IBM FastT 100
* Firmware version 3.1 and prior
Immune Systems:
* Storagetek D280
* IBM FastT 100
* Firmware version 3.2 or newer
Solution:
The vendor has issued a new firmware, 3.2, which addresses this issue.
Vendors status:
After successful data corruption of a D280 storage system, Storagetek was informed on Jun 14. They said they will publish details and release a patch the week after. They didn't.
In order to give a chance to all vendors to get a fix, Jedi/Sector One sent details and a working exploit to the Engenio/LSI Logic support <support@lsil.com> on Jun 21. Their tech support is awesome. [about the attached C source code]:
"What format is this image in? I cannot open it. Can you please send it in another format?". The ticket was then closed "it's a Storagetek issue".
On Jun 25, the global technical services manager reopened the ticket, asking some tech people whether that issue was being looked at. Nothing happened since. Jedi/Sector One also sent them a fix for a bug in Santricity but there was no answer either.
Later, Storagetek came back to Jedi/Sector One. They confirmed the vulnerability and they were able to reproduce it on their Brocade fiber-channel switches as well. They said the bug was actually in the embedded operating system, VxWorks.
It's why Jedi/Sector One wrote to the Brocade support <support@brocade.com> on Jul 6, with details and the exploit. It was assigned case number RQST00000030729 but Jedi/Sector One didn't get anything except a generic message asking for a serial number in order to verify the service entitlement. The email address of his support contact <mzhang@brocade.com> doesn't even work any more.
Jedi/Sector One wrote to Windriver with the same result: "please provide your license number". This is frustrating. I'm not asking for support, Jedi/Sector One is not even a direct customer, he just want to _help_, but no, this is impossible, you have to pay to help.
On Jun 30, Jedi/Sector One wrote to SGI just in case their hardware would also be vulnerable. Teradata web site is a total mess and Jedi/Sector One wasn't able to find anything related to their storage systems. The online form for security alert on the SGI web site sent a mail to <security-alert@csd.sgi.com> but the mail bounced from internal-mail-relay.corp.sgi.com with an internal error the week after: "451 relay.engt.sgi.com: Name server timeout".
IBM was contacted the same day, with details and the exploit. The AIX security contact is a very nice guy but it looks like he can't find anyone at IBM that could listen to Totalstorage-related security issues.
The company Jedi/Sector One is working for just bought a newly manufactured IBM FastT 100. It could be crashed the same way as the Storagetek D280 controller, so almost all Engenio-based storage systems probably still share the same security issue.
Multiple emails were sent later to those vendors with the hope of having some news about that issue, but it was a waste of time. At this point Jedi/Sector One guess there is nothing else that can be done.
|
|
|
|
|
|
|
|
|
|
