SDP-685

tom_tyler (C. Thomas Tyler)
C. Thomas Tyler created this job , modified by C. Thomas Tyler
Fixed
libcore.sh rrun() misinterpreted by Palo Alto firewall as attack.

The rrun() function for running code on a remote machine creates
a temporary script, and then uses scp to copy the script to the
remote machine where the script is then executed.

Normally, this works fine, but it is possible that a Palo Alto
filewall will block this with a "Threat" indication saying
"SSH User Authentication Brute Force Attempt".

When this occurs, the result is an error message containing text
like the following:

lost connection
rrun(): Failed to copy temp command script to host bos-helix-02.

If the command the script is attempting to run is executed
manually on the command line, it works. It is blocked by Palo
Alto Networks (PAN) firewall when called via the script.
28048Attempted workaround for SDP-685.

Changed to enhance security by ensuring copied temp scripts have only
perms for owner from the point of inception.
Status
Fixed
Project
perforce-software-sdp
Severity
C
Reported By
C. Thomas Tyler
Reported Date
Modified By
C. Thomas Tyler
Modified Date
Owned By
tom_tyler
Dev Notes
2021-09-24 ttyler:
A possible fix might be to change the logic so that the script
is copied over first non-executable, and then an SSH call made
to do the 'chmod +x' on the remote machine, and then a call
made to execute the script once it already exists on the remote
machine.  The theory here is that the scp of an already-executable
script is triggering the Palo Alto response.
Component
core-unix
Type
Bug