Product : Engenio/LSI Logic storage controllers, including: - Storagetek D280 (verified), - IBM FastT 100 (verified), - Probably all other Storagetek and IBM FastT storage controllers since the software part is almost identical, - Maybe some SGI and Teradata storage controllers (unverified), - Some Brocade fiber-channel switches (according to Storagetek), - Maybe other devices with the VxWorks embedded operating system (unverified). Vuln. : Remotely exploitable denial of service / data corruption Date : 09/04/2004 Author : Frank Denis ------------------------[ Product description ]------------------------ Engenio (formerly LSI Logic) builds high-performance SATA and Fiber Channel OEM storage systems for data-intensive environment. This hardware is sold with different covers by IBM (FastT series), Storagetek (D series), SGI and Teradata. Engenio's web site is http://www.engenio.com/ Storagetek disk storage: http://www.storagetek.com/products/disk_storage.html IBM FastT systems: http://www.storage.ibm.com/disk/fastt/ ------------------------[ Vulnerability ]------------------------ Storagetek and IBM FastT controllers can be frozen with a few specially crafted TCP packets. The IP stack becomes unresponsive and administration through Santricity/IBM Storage Manager becomes impossible. Under some circumstances, unrecoverable corruption of the stored data will happen. This attack doesn't require any authentication and there is no trace in any log file. The controllers are vulnerable even at installation-time. ------------------------[ Details ]------------------------ With the hope that vendors will finally fix their products, details won't be disclosed in this advisory. ------------------------[ Workaround ]------------------------ The controllers should always be placed on a dedicated subnet in order to be only reachable from administration hosts. (does is sound obvious? Well... how many SQL Server hosts were compromised a few months back?) ------------------------[ Vendors status ]-------------------- After successful data corruption of a D280 storage system, Storagetek was informed on Jun 14. They said they will publish details and release a patch the week after. They didn't. In order to give a chance to all vendors to get a fix, I sent details and a working exploit to the Engenio/LSI Logic support on Jun 21. Their tech support is awesome. [about the attached C source code]: "What format is this image in? I cannot open it. Can you please send it in another format?". The ticket was then closed "it's a Storagetek issue". On Jun 25, the global technical services manager reopened the ticket, asking some tech people whether that issue was being looked at. Nothing happened since. I also sent them a fix for a bug in Santricity but there was no answer either. Later, Storagetek came back to me. They confirmed the vulnerability and they were able to reproduce it on their Brocade fiber-channel switches as well. They said the bug was actually in the embedded operating system, VxWorks. It's why I wrote to the Brocade support on Jul 6, with details and the exploit. It was assigned case number RQST00000030729 but I didn't get anything except a generic message asking for a serial number in order to verify the service entitlement. The email address of my support contact doesn't even work any more. I wrote to Windriver with the same result: "please provide your license number". This is frustrating. I'm not asking for support, I'm not even a direct customer, I just want to _help_, but no, this is impossible, you have to pay to help. On Jun 30, I wrote to SGI just in case their hardware would also be vulnerable. Teradata web site is a total mess and I wasn't able to find anything related to their storage systems. The online form for security alert on the SGI web site sent a mail to but the mail bounced from internal-mail-relay.corp.sgi.com with an internal error the week after: "451 relay.engt.sgi.com: Name server timeout". IBM was contacted the same day, with details and the exploit. The AIX security contact is a very nice guy but it looks like he can't find anyone at IBM that could listen to Totalstorage-related security issues. The company I'm working for just bought a newly manufactured IBM FastT 100. It could be crashed the same way as the Storagetek D280 controller, so almost all Engenio-based storage systems probably still share the same security issue. Multiple emails were sent later to those vendors with the hope of having some news about that issue, but it was a waste of time. At this point I guess there is nothing else that can be done. -- __ /*- Frank DENIS (Jedi/Sector One) -*\ __ \ '/ Secure FTP Server \' / \/ Misc. free software \/