RecoverPoint: ISCSI targets unauthenticated detected on RPA  by port scan

           

   Article Number:     497597                                   Article Version: 6     Article Type:    Break Fix 
   

 


Product:

 

RecoverPoint,RecoverPoint EX,RecoverPoint SE

 

Issue:

 

 

   

      Security scan shows unauthorized access allowed through TCP port 3260.         
         
          Affected version: Physical RPAs running version 5.0, 5.1 and later.
    

   

      The security scan will just show:    

   

      unauthorized access being allowed through TCP port 3260.    

   

      Expect prints like:    

   

      other.host.name 1x.xx.2xx.xx ( 3260 / TCP )    

   

      iqn.1992-04.com.emc:recoverpoint.0xXXXXXXXXXX.rpa0.eth1.0.tgt     

   

      other.host.name 1x.xx.2xx.xx ( 3260 / TCP )   

   

      iqn.1992-04.com.emc:recoverpoint.0xXXXXXXXXXX.rpa1.eth1.0.tgt     

   

      host.name.here 1x.xx.2x.xx ( 3260 / TCP )    

   

      iqn.1992-04.com.emc:recoverpoint.0xXXXXXXXXXXX.rpa0.eth1.0.tgt     

   

      host.name.here 1x.xx.2x.xx ( 3260 / TCP )    

   

      iqn.1992-04.com.emc:recoverpoint.0xXXXXXXXXXXX.rpa1.eth1.0.tgt   

   

          

                                                             

 

 

Cause:

 

 

ISCSI port needs to be open for ScaleIO support in 5.x codes.                                                           

 

 

Change:

 

 

Security scan run customer environment                                                           

 

 

Resolution:

 

 

Workaround :       
       
        Signed script that will stop TCP connections to port 3260:       
       
        ZDdmMzAzOWZjMmExN2QyZDI4MjA3NGIwZWIyNDM3MjYKdW5saW1pdGVkCm5vdF9yZXN0cmljdGVk       
        ClRoZSBpZCBvZiB0aGUgc2NyaXB0IGlzOjEzODQxNQpTY3JpcHQgdG8gbW9kaWZ5IHRoZSBJUCB0       
        YWJsZXMgdG8gYmxvY2sgaVNDU0kgcG9ydC4KSm9zZUEKIyEgL2Jpbi9iYXNoCnNlZCAtaSAncy9e       
        LUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMzI2MCAtaiBBQ0NFUFQvIy1BIElOUFVUIC1wIHRjcCAt       
        LWRwb3J0IDMyNjAgLWogQUNDRVBULycgL2V0Yy9pcHRhYmxlcy5ydWxlcwpvcmlnRm91bmQ9YGdy       
        ZXAgIiMtQSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAzMjYwIC1qIEFDQ0VQVCIgL2V0Yy9pcHRhYmxl       
        cy5ydWxlcyB8IHdjIC1sYApyZXBsYWNlRm91bmQ9YGdyZXAgLS0gIi1BIElOUFVUIC1wIHRjcCAt       
        LWRwb3J0IDMyNjAgLWogQUNDRVBUIiAvZXRjL2lwdGFibGVzLnJ1bGVzIHwgd2MgLWxgCmlmIFsg       
        IiRyZXBsYWNlRm91bmQiIC1lcSAiJG9yaWdGb3VuZCIgXTsgdGhlbgogICAgICAgIGVjaG8gIlN1       
        Y2Nlc3NmdWxseSBzZXQgL2V0Yy9pcHRhYmxlcy5ydWxlcywgY29tbWVudGVkIG91dCAnLUEgSU5Q       
        VVQgLXAgdGNwIC0tZHBvcnQgMzI2MCAtaiBBQ0NFUFQnLiIKZWxzZQogICAgICAgIGVjaG8gIlVu       
        c3VjY2Vzc2Z1bGx5IHNldCAvZXRjL2lwdGFibGVzLnJ1bGVzLCBmb3VuZCBhICctQSBJTlBVVCAt       
        cCB0Y3AgLS1kcG9ydCAzMjYwIC1qIEFDQ0VQVCcgdGhhdCB3YXMgbm90IGNvbW1lbnRlZCBvdXQu       
        IgpmaQo=       
        #       
       
        Run the above script on the affected RPA and then reboot it. After it boots back up, run the security scan again and should not show the vulnerability.       
       
       
        If you like to undo the above change, please apply the script below follow by a reboot:       
       
        MDkwMmQwZjg2Yjk0ODM3NmYwNjE3ZmNiZWJlZWZkZWMKdW5saW1pdGVkCm5vdF9yZXN0cmljdGVk       
        ClRoZSBpZCBvZiB0aGUgc2NyaXB0IGlzOjEzODQxNQpTY3JpcHQgdG8gbW9kaWZ5IHRoZSBJUCB0       
        YWJsZXMgdG8gdW5ibG9jayBpU0NTSSBwb3J0LgpKb3NlQQojISAvYmluL2Jhc2gKc2VkIC1pICdz       
        L14jLUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMzI2MCAtaiBBQ0NFUFQvLUEgSU5QVVQgLXAgdGNw       
        IC0tZHBvcnQgMzI2MCAtaiBBQ0NFUFQvJyAvZXRjL2lwdGFibGVzLnJ1bGVzCm9yaWdGb3VuZD1g       
        Z3JlcCAiIy1BIElOUFVUIC1wIHRjcCAtLWRwb3J0IDMyNjAgLWogQUNDRVBUIiAvZXRjL2lwdGFi       
        bGVzLnJ1bGVzIHwgd2MgLWxgCnJlcGxhY2VGb3VuZD1gZ3JlcCAtLSAiLUEgSU5QVVQgLXAgdGNw       
        IC0tZHBvcnQgMzI2MCAtaiBBQ0NFUFQiIC9ldGMvaXB0YWJsZXMucnVsZXMgfCB3YyAtbGAKaWYg       
        WyAiJHJlcGxhY2VGb3VuZCIgLWVxICIkb3JpZ0ZvdW5kIiBdOyB0aGVuCiAgICAgICAgZWNobyAi       
        VW5zdWNjZXNzZnVsbHkgc2V0IC9ldGMvaXB0YWJsZXMucnVsZXMsICctQSBJTlBVVCAtcCB0Y3Ag       
        LS1kcG9ydCAzMjYwIC1qIEFDQ0VQVCcgaXMgc3RpbGwgY29tbWVudGVkIG91dC4iCmVsc2UKICAg       
        ICAgICBlY2hvICJTdWNjZXNzZnVsbHkgc2V0IC9ldGMvaXB0YWJsZXMucnVsZXMsIHVuY29tbWVu       
        dGVkICctQSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAzMjYwIC1qIEFDQ0VQVCcuIgpmaQo=       
        #
   
   
   
    Steps to apply the signed script on RPA:   

      SSH to RPA using 'boxmgmt' account,     
      At the main menu, go to   
   
      [2] Setup     
      [8] Advanced options     
      [4] Run script     
      Enter the signed script including the # at the end     
      Hit enter and type your name if it asks     
      Hit enter again to apply the script   
   
     
      Steps to reboot the RPA after applied the signed script:   
   
      [M] Main Menu   
   
      [5] Shutdown / Reboot operations      
      [1] Reboot RPA   
   
      Wait till the RPA comes back before move to the next RPA