CSAM: My Storage Array SSHs Outbound!

Published: 2014-10-02
Last Updated: 2014-10-02 14:29:31 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Kuddos to Matthew for paying attention to egress traffic. We keep emphasizing how important it is to make sure no systems talk "outbound" without permission. Just this last week, various Shellshock exploits did just that: Turn devices into IRC clients or downloading additional tools via HTTP, or just reporting success via a simple ping.

So no surprise that Matthew wrote us: "... the first time I saw the storage array SSH to the internet I about fainted. ..."

I would be surprised too! And turns out that isn't the only person that experienced this. Mark noted:

"Had the seem freak moment when I saw it happen.  The SAN happily communicating to an outside entity.  Though the company had been well and truly hosed."

Luckily, before going too far down the incident handling road, Matthew realized that this was a false positive. The storage array in question called "back home" to the vendor to report on its status. The purpose of this communication is to report failed disks or other critical events that may trigger a service call. Vendors will agree to turn off this feature, but then of course it is up to you to recognize faulty disks.

Got anything like that? Let us know. (if possible with log snippet / packet capture or other show-and-tells)

Johannes B. Ullrich, Ph.D.

Keywords: CSAM14
3 comment(s)


It would be interesting to know whether any egress filtering was used. If the SAN allows SSH outbound to ANY client then they may have deeper security issues then just this particular communication!
My first thought upon reading this: why was egress traffic not already restricted by firewall policies?
We set up a snort rule here that watches for any outbound traffic from certain internal server subnets for just this sort of reason. It's been a bit of a struggle, however, because the windows servers have a penchant for downloading CRLs from hither 'n yon and some software has a local-browser-only interface, with browsers that helpfully visit facebook URIs as soon as you open them up ("Like us on facebook, ok!!" - grrr)

But it's also uncovered some interesting behavior by a number of vendors. Backup software that is only supposed to be backing up to local media but that phones home to momma anytime a backup is run? Creepy, but allegedly part of their support ("it tells us when one of your backups fails" - rolls eyes).

It's also caught some contractors surfing the web (youtube/facebook/twitter/etc) from the corporate servers they're supposed to be fixing/modifying web apps on. Phooey.

So tweaking the snort config to weed out all of the (depressingly) normal outbound traffic has been tedious, but worth the effort.

Diary Archives