CSAM: My Storage Array SSHs Outbound!
Kuddos to Matthew for paying attention to egress traffic. We keep emphasizing how important it is to make sure no systems talk "outbound" without permission. Just this last week, various Shellshock exploits did just that: Turn devices into IRC clients or downloading additional tools via HTTP, or just reporting success via a simple ping.
So no surprise that Matthew wrote us: "... the first time I saw the storage array SSH to the internet I about fainted. ..."
I would be surprised too! And turns out that isn't the only person that experienced this. Mark noted:
"Had the seem freak moment when I saw it happen. The SAN happily communicating to an outside entity. Though the company had been well and truly hosed."
Luckily, before going too far down the incident handling road, Matthew realized that this was a false positive. The storage array in question called "back home" to the vendor to report on its status. The purpose of this communication is to report failed disks or other critical events that may trigger a service call. Vendors will agree to turn off this feature, but then of course it is up to you to recognize faulty disks.
Got anything like that? Let us know. (if possible with log snippet / packet capture or other show-and-tells)
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Oct 2nd 2014
1 decade ago
Anonymous
Oct 2nd 2014
1 decade ago
But it's also uncovered some interesting behavior by a number of vendors. Backup software that is only supposed to be backing up to local media but that phones home to momma anytime a backup is run? Creepy, but allegedly part of their support ("it tells us when one of your backups fails" - rolls eyes).
It's also caught some contractors surfing the web (youtube/facebook/twitter/etc) from the corporate servers they're supposed to be fixing/modifying web apps on. Phooey.
So tweaking the snort config to weed out all of the (depressingly) normal outbound traffic has been tedious, but worth the effort.
Anonymous
Oct 2nd 2014
1 decade ago