CA PAM received suspicious incoming connection popups from PAM client
Article ID: 16880
Updated On:
Products
Issue/Introduction
Why does one receive alerts stating that CA PAM has received suspicious incoming connections?
Environment
Affects any PAM release as of March 2021, and is not expected to change in the near future.
Cause
The PAM client opens sockets on local IPs and ports that built-in access methods like the SSH mindterm client or the PAM RDP client, or external clients configured in TCP/UDP services, connect to when an access session is started. A port on a local IP in general can be connected to by any other process running on the same server or workstation. If multiple users are logged in, user A in theory could connect to a listener port created for user B and thus get access to a target device to which user B has access. To protect against that the PAM client checks the process ID for the incoming socket connection and then checks the session that the process belongs to. If the process belongs to the same session that the PAM client is running in, it is allowed. If not, the PAM client pops up the warning.
Resolution
Clicking either Yes or No to block the incoming connection will not affect your session, but we suggest to press Yes to prevent any other users from tampering with your CA PAM client session and possibly hijacking a session/connection using the same service you are binding to, unless you are confident that the connection is the result of a workflow you started or is legitimate.
It is possible that other software running on the same host tries to connect to PAM client listener sockets. The PAM client log file, logs.log in the PAM client installation folder, may include additional information, specifically the process ID of the process attempting to connect, e.g.
2021-03-10 12:46:59 ERROR - Cross user session connection is blocked: current session id = 1; session id of incoming connection = 0; process-owner PID = 19872
Use Task Manager on Windows hosts to identify the process based on the PID seen in the PAM client log (19872 in the above message), and if possible reconfigure it to not interfere with the PAM client. If the PAM client log shows the PID as "-1", the connection may have been attempted by a temporary process that exits right after attempting the connection. Possible candidates would be local port scanners, or other software utilizing local IP listeners. These could be identified with a netstat command such as
netstat -abno | findstr LISTEN | findstr <local IP>
where <local IP> would be the local IP seen in the popup, 127.0.0.1 in the above example.
Feedback
