iSCSI: Secure As Long As Everything Else Is Too?

Thomas Ptacek | November 21st, 2005 | Filed Under: Bitching About Protocols, Matasano, New Findings

Richard Steinnon brokers the first substantive response to my iSCSI rant, which followed our disclosure of a game-over vulnerability in the market leader. Steinnon feels validated in his prediction from six months earlier that iSCSI would suffer security problems beyond authentication.

Steinnon’s friend at LeftHand responds, and I’m paraphrasing:

• People use seperate network segments for storage.

• Clients can’t see each other’s SCSI LUNs (“drive numbers”).

• SCSI supports CHAP!

• As long as client host never gets broken in to, iSCSI is safe.

Well, allow me to retort.

• VLANs aren’t security tools.

• LUNs masking only works if your software is secure.

• CHAP is broken.

• And?

I don’t know anything about LeftHand. I’d like to! Maybe they can send us a box to put through our iSCSI obstacle course. I freely concede that LeftHand may be the most secure iSCSI implementation on the planet. But we broke the market leading implementation, and those guys aren’t stupid, so let’s not take each others words for it.

At any rate, my real problem with iSCSI isn’t authentication and it isn’t worm susceptability or bad traffic. It’s the drastic increase in the threat surface. Prior to iSCSI, there were no meaningful attacks on filesystem drivers or SCSI firmware. The advent of iSCSI gives attackers new tools: adulterating filesystem metadata on the wire, in transit, and the ability to directly target SCSI drivers and firmware with malicious command blocks. Those attacks don’t really have anything to do with the iSCSI protocol; they’re about the underlying concept.