|
|
|
|
| |
iSCSI is "a TCP protocol running over a well-known port, over which iSCSI records are exchanged. Full-featured iSCSI sessions provide access to raw disk blocks conveyed as SCSI messages inside iSCSI records. Security in an iSCSI deployment is typically based on strong authentication, which proves that an iSCSI client ('initiator') is allowed access to disk blocks on an iSCSI server and target LUNs ('target' and 'LUN')".
Unauthenticated iSCSI Initiators can bypass iSCSI authentication on NetApp Filers by manipulating the iSCSI Login Negotiation protocol. The impact of this vulnerability is the negation of iSCSI security on affected NetApp filers. |
| |
Credit:
The information has been provided by Thomas H. Ptacek.
The original article can be found at: http://www.matasano.com/advisories/netapp-iSCSI.txt
|
| |
Vulnerable Systems:
* Network Appliance Data ONTAP Operating System, Releases 6.4, 6.5, and 7.0
iSCSI authentication occurs via LOGINREQUEST and LOGINRESPONSE iSCSI records, which are used to negotiate authentication parameters, including the initiator, target, and mode of authentication. iSCSI "Login Negotiation" occurs in 3 phases:
1. Security ("Start") mode, where the client and server verify their identity.
2. Operational mode, where the client and server negotiate on-security-related session parameters.
3. FullFeature mode, where the client and server exchange SCSI commands.
The problem we have observed is that an iSCSI clients can launch negotiation attacks in which clients force servers to transition from Security phase to Operational phase **without proving identity**.
To exploit this problem, we wrote a custom iSCSI client that short circuits login negotiation, asserting an unchecked transition to Operational mode. Affected Filers honor the client assertion, bypassing authentication.
There is no known exploit code circulating for this vulnerability.
Data stored in iSCSI-mapped LUNs on affected Network Appliance Filers can be read and altered by an attacker. Unmapped LUNS and LUNs mapped only to Fibre Channel initiators are not vulnerability to this attack.
Vendor Response:
Network Appliance Data ONTAP 7.0.2 is a General Availability release:
http://now.netapp.com/NOW/cgi-bin/software
Release of this advisory was coordinated with Network Appliance. Network Appliance has confirmed this vulnerability. For further information about the vulnerability disclosed in this advisory, see
[NOW.NETAPP.COM BugsOnline] (http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359).
|
|
|
|
|
