Network Appliance iSCSI Authentication Bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Security Advisory: Network Appliance iSCSI Authentication Bypass
## Origin Date: Wed Aug 3 2005
## Publication Date: Mon Oct 24 2005
## Synopsis
Unauthenticated iSCSI Initiators can bypass iSCSI authentication on
NetApp Filers by manipulating the iSCSI Login Negotiation
protocol. The impact of this vulnerability is the negation of iSCSI
security on affected NetApp filers.
## Details
### Background
iSCSI is a TCP protocol running over a well-known port, over which
iSCSI records are exchanged. Full-featured iSCSI sessions provide
access to raw disk blocks conveyed as SCSI messages inside iSCSI
records. Security in an iSCSI deployment is typically based on strong
authentication, which proves that an iSCSI client ("initiator") is
allowed access to disk blocks on an iSCSI server and target LUNs
("target" and "LUN").
### Vulnerability
iSCSI authentication occurs via LOGINREQUEST and LOGINRESPONSE iSCSI
records, which are used to negotiate authentication parameters,
including the initiator, target, and mode of authentication. iSCSI
"Login Negotiation" occurs in 3 phases:
1. Security ("Start") mode, where the client and server verify their
identity.
2. Operational mode, where the client and server negotiate
non-security-related session parameters.
3. FullFeature mode, where the client and server exchange SCSI
commands.
The problem we have observed is that an iSCSI clients can launch
negotiation attacks in which clients force servers to transition from
Security phase to Operational phase **without proving identity**.
To exploit this problem, we wrote a custom iSCSI client that short
circuits login negotiation, asserting an unchecked transition to
Operational mode. Affected Filers honor the client assertion, bypassing
authentication.
There is no known exploit code circulating for this vulnerability.
### Impact
Data stored in iSCSI-mapped LUNs on affected Network Appliance Filers
can be read and altered by an attacker. Unmapped LUNS and LUNs mapped
only to Fibre Channel initiators are not vulnerability to this attack.
### Target
Network Appliance Data ONTAP Operating System, Releases 6.4, 6.5, and
7.0.
### Vendor Response
Network Appliance Data ONTAP 7.0.2 is a General Availability release:
http://now.netapp.com/NOW/cgi-bin/software
Release of this advisory was coordinated with Network
Appliance. Network Appliance has confirmed this vulnerability. For
further information about the vulnerability disclosed in this
advisory, see
[NOW.NETAPP.COM
BugsOnline](http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=169359).
## Origin
Thomas H. Ptacek, Matasano Security
tqbf _at_ matasano.com
For more information on this advisory, please contact
advisories _at_ matasano.com
http://www.matasano.com/advisories/netapp-iSCSI.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDXVXc9HF8IN5vKKkRAjhSAKCwFOc+hfquaCzAt4Tta8COy0cb3gCePw7s
/xsX/6qNLZpOAT2ySApgtNE=
=kdhZ
-----END PGP SIGNATURE-----