Suspicious Incoming Connection

book

Article ID: 16880

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

This technical document explains how we receive a pop-up dialogue box when we are using CA PAM, especially on the Access page.



Why do I receive an alert entailing CA PAM has received suspicious incoming connections?

 

<Please see attached file for image>

 

Environment

Release: PAMCOA99500-3.0.1-PAM-Management Console-OVA Appliance
Component:

Resolution

These are ephemeral ports, they would be different every time. When you have the client running and you launch an RDP or SSH session you will see socket connections between local IPs.



Our client (web browser or PAM client) opens local listener ports that applets connect to when an access session is started.  A listener port in general can be accessed to be any other process on the same running system.  So, if multiple users have a client session going, user A in theory could connect to a listener port created for user B and thus get access to a target device to which user B has access.  To protect against that we added a check on the process tree.  If the process trying to connect is a child of the client process, it is fine.  If not, we spit out this warning.



Clicking cancel or OK will not effect your session, but we suggest to press Cancel to prevent any other users fro tampering with your CA PAM client session and possibly hijacking a session/connection using the same service you are binding to.

Attachments

1558701512948000016880_sktwi1f5rjvs16kjz.png get_app