Brocade Security Advisory

Brocade Security Advisory ID:

BSA-2016-209

 

Risk Impact:

High

Initial Publication Date:

January 6, 2017

 

Workaround:

Yes

Last Updated:

January 6, 2017

 

Component:

Web UI

Revision:

1.0: Final

 

CVSS Score:

7.5

 

Affected CVE(s):

CVE-2016-8201

 

 

 

 

 

 

 

Summary

A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0, could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.

Affected Products

Product

Current Assessment

Brocade Virtual Traffic Manager

Impacted: Fixed in 11.1, 10.4r1, 9.9r2, and later releases.

Products Confirmed Not Vulnerable

No other Brocade products are currently known to be affected by this vulnerability.

Solution

Brocade strongly recommends that all customers running the impacted version(s) install the patch.

Workaround

Minimizing exposure to this vulnerability can be done by the following means:

-        Reducing the amount of time an administrator is logged into the web user interface by actively logging out at the end of each administration session.

-        Ensuring the permissions for each administrator account are reduced to the minimal set required in line with the principle of least privilege.

-        Avoiding using any untrusted service/system/network while logged in as an administrator via the web user interface.

A broader workaround is to prevent access to untrusted service/system/network while using the web user interface, potentially by partitioning and isolating the management network. To restrict administrative access to only be available via a single IP address, see the bindip configuration setting.

Other administrative interfaces, specifically the REST API, SOAP API and zcli utility, are not impacted by this vulnerability and can be used to perform a wide range of administrative operations.

Credit

Brocade thanks Sven Schleier of Vantage Point Security for reporting this vulnerability.

Brocade Revision History

Version

Change

Date

1.0

Initial Publication

January 6, 2017

 

 

 

 

 

 

 

 

 

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.