Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption
Date: 19 Sep 2004 16:22:10 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Engenio/LSI Logic Controllers DoS/Data Corruption
------------------------------------------------------------------------


SUMMARY

 <http://www.engenio.com/> Engenio (formerly LSI Logic) builds 
high-performance SATA and Fiber Channel OEM storage systems for 
data-intensive environment. This hardware is sold with different covers by 
IBM (FastT series), Storagetek (D series), SGI and Teradata.

Storagetek and IBM FastT controllers can be frozen with a few specially 
crafted TCP packets. The IP stack becomes unresponsive and administration 
through Santricity/IBM Storage Manager becomes impossible.

Under some circumstances, unrecoverable corruption of the stored data will 
happen. This attack doesn't require any authentication and there is no 
trace in any log file. The controllers are vulnerable even at 
installation-time.

DETAILS

Vulnerable Systems:
 * Storagetek D280
 * IBM FastT 100
   * Firmware version 3.1 and prior

Immune Systems:
 * Storagetek D280
 * IBM FastT 100
   * Firmware version 3.2 or newer

Solution:
The vendor has issued a new firmware, 3.2, which addresses this issue.

Vendors status:
After successful data corruption of a D280 storage system, Storagetek was 
informed on Jun 14. They said they will publish details and release a 
patch the week after. They didn't.

In order to give a chance to all vendors to get a fix, Jedi/Sector One 
sent details and a working exploit to the Engenio/LSI Logic support 
<support@lsil.com> on Jun 21. Their tech support is awesome. [about the 
attached C source code]:
"What format is this image in? I cannot open it. Can you please send it in 
another format?". The ticket was then closed "it's a Storagetek issue".

On Jun 25, the global technical services manager reopened the ticket, 
asking some tech people whether that issue was being looked at. Nothing 
happened since. Jedi/Sector One also sent them a fix for a bug in 
Santricity but there was no answer either.

Later, Storagetek came back to Jedi/Sector One. They confirmed the 
vulnerability and they were able to reproduce it on their Brocade 
fiber-channel switches as well. They said the bug was actually in the 
embedded operating system, VxWorks.

It's why Jedi/Sector One wrote to the Brocade support 
<support@brocade.com> on Jul 6, with details and the exploit. It was 
assigned case number RQST00000030729 but Jedi/Sector One didn't get 
anything except a generic message asking for a serial number in order to 
verify the service entitlement. The email address of his support contact 
<mzhang@brocade.com> doesn't even work any more.

Jedi/Sector One wrote to Windriver with the same result: "please provide 
your license number". This is frustrating. I'm not asking for support, 
Jedi/Sector One is not even a direct customer, he just want to _help_, but 
no, this is impossible, you have to pay to help.

On Jun 30, Jedi/Sector One wrote to SGI just in case their hardware would 
also be vulnerable. Teradata web site is a total mess and Jedi/Sector One 
wasn't able to find anything related to their storage systems. The online 
form for security alert on the SGI web site sent a mail to 
<security-alert@csd.sgi.com> but the mail bounced from 
internal-mail-relay.corp.sgi.com with an internal error the week after: 
"451 relay.engt.sgi.com: Name server timeout".

IBM was contacted the same day, with details and the exploit. The AIX 
security contact is a very nice guy but it looks like he can't find anyone 
at IBM that could listen to Totalstorage-related security issues.

The company Jedi/Sector One is working for just bought a newly 
manufactured IBM FastT 100. It could be crashed the same way as the 
Storagetek D280 controller, so almost all Engenio-based storage systems 
probably still share the same security issue.

Multiple emails were sent later to those vendors with the hope of having 
some news about that issue, but it was a waste of time. At this point 
Jedi/Sector One guess there is nothing else that can be done.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:j@pureftpd.org> Jedi/Sector 
One.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Engenio/LSI Logic Controllers DoS/Data Corruption, SecuriTeam <=
Previous by Date:  [UNIX] Apache htpasswd Local Stack Overflow, SecuriTeam
Next by Date:  [UNIX] Snitz Forums 2000 HTTP Response Splitting, SecuriTeam
Previous by Thread:  [UNIX] Apache htpasswd Local Stack Overflow, SecuriTeam
Next by Thread:  [UNIX] Snitz Forums 2000 HTTP Response Splitting, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]