CA PAM received suspicious incoming connection popups from port scans
search cancel

CA PAM received suspicious incoming connection popups from port scans

book

Article ID: 16880

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Why does one receive alerts stating that CA PAM has received suspicious incoming connections?

Cause

The PAM client opens sockets on local IPs and ports that built-in access methods like the SSH mindterm client or the PAM RDP client, or external clients configured in TCP/UDP services, connect to when an access session is started.  A port on a local IP in general can be connected to by any other process running on the same server or workstation.  If multiple users are logged in, user A in theory could connect to a listener port created for user B and thus get access to a target device to which only user B was granted access. To protect against that the PAM client checks the process ID for the incoming socket connection and then checks the session that the process belongs to. If the process belongs to the same session that the PAM client is running in, it is allowed. If not, the PAM client pops up the warning.

Resolution

Clicking either Yes or No to allow or block the incoming connection will not affect your session, but we suggest to press No to prevent any other users from tampering with your CA PAM client session and possibly hijacking a session/connection using the same service you are binding to, unless you are confident that the connection is the result of a workflow you started or is legitimate for another reason.

It is possible that other software running on the same host, such as a security product looking for vulnerabilities (e.g., Windows Defender), tries to connect to PAM client listener sockets. The PAM client log file, logs.log in the PAM client installation folder, may include additional information, specifically the process ID (PID) of the process attempting to connect, e.g.

2021-03-10 12:46:59 ERROR - Cross user session connection is blocked: current session id = 1; session id of incoming connection = 0; process-owner PID = 19872

Use Task Manager on Windows hosts to identify the process based on the PID seen in the PAM client log, 19872 in the above message, and if possible reconfigure it to not interfere with the PAM client. If the PAM client log shows the PID as "-1", the connection may have been attempted by a temporary process that exited right after attempting the connection. Possible candidates would be local port scanners, or other software utilizing local IP listeners. These could be identified with a netstat command such as

netstat -abno | findstr LISTEN | findstr <local IP>

where <local IP> would be the local IP seen in the popup, 127.0.0.1 in the above example.

Additional Information

See KB 101499 for details on how these popup messages could be observed on jump servers on which multiple users run PAM client instances.