Matasano Releases iSCSI Security Research, First iSCSI Security Findings
New York, NY --- October 25, 2005 --- Matasano Security, an independent security research and development organization, today announced preliminary results from a research project exploring the security implications of iSCSI SAN storage. Matasano's research uncovered and was instrumental in resolving a critical vulnerability in iSCSI appliances by market leader Network Appliance (NASDAQ:NTAP), which are deployed in over 2000 production SANs (storage area networks) worldwide.
Over the course of a multi-month research project, Matasano scrutinized
the world's leading iSCSI SAN implementation, subjecting the
appliance to
probes for over 50 protocol and implementation flaws, including:
Buffer Overflows, Format Strings, and Integer Overflows
Authentication Bypass and CHAP Authentication Vulnerabilities
Malformed and Randomized SCSI Commands
iSCSI Session Management Vulnerabilities
Matasano's testing uncovered the fact that attackers could, on certain vulnerable versions of the Network Appliance Data ONTAP operating system, access iSCSI volumes without a password. This finding represents the first iSCSI security vulnerability ever disclosed to the industry. Based on Matasano's results, Network Appliance was able to close the vulnerability across its Filer product line, preemptively eliminating a critical security threat before attackers were able to exploit it.
Technical data from Matasano's research was made available to the security research community today, after Network Appliance made hardened versions of its Data ONTAP operating system available for download on its support site.
"IP SANs are a perfect example of new technology where customer demand for low-cost, high-performance solutions increases pressure on developers and creates a clear need for security assurance testing," said Window Snyder, CTO of Matasano Security. "We are impressed by how well Network Appliance fared under intense scrutiny, pleased to help close a major vulnerability, and eager to extend our research to other SAN platforms."
ABOUT MATASANO SECURITY
With a novel focus on internal application and infrastructure security and a unique mix of development and security expertise, Matasano Security provides security assurance to vendors that build complex products, and to the customers in whose high-risk environments those products are deployed. Founded in 2005 and headquartered in New York, Matasano has locations in Chicago and Seattle. For more information, visit www.matasano.com.