Brocade Security Advisory

Brocade Security Advisory ID:

BSA-2017-208

 

Risk Impact:

High

Initial Publication Date:

May 1, 2017

 

Workaround:

Yes

Last Updated:

November 17, 2017

 

Component:

FOS

Revision:

2.0: Interim

 

CVSS Score:

8.0

 

Affected CVE(s):

CVE-2016-8202

 

 

 

 

 

 

 

Summary

A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated, attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected versions, non-root users can gain root access with a combination of shell commands and parameters.

Affected Products

Product

Current Assessment

Brocade Fabric OS

Impacted: Fixed in v7.4.1d and v8.0.1b.

Products Confirmed Not Vulnerable

No other Brocade products are currently known to be affected by this vulnerability.

Solution

Brocade has fixed the vulnerability described in this advisory in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) FOS v7.4.1d and later, Brocade FOS v8.0.1b and later releases. The patch releases have been posted to the MyBrocade web portal.

Workaround

Minimizing exposure to this vulnerability can be done by the following means:

-    Tightly control list of operators and administrators accessing the switch via CLI and other management interfaces;

-    Using firewall and ipfilter to limit access to switch CLI interface from trusted hosts only.

-    If you have not done so in the past, change all Brocade default account passwords, including the root passwords, from the default factory passwords.

-    Delete guest accounts and temporary accounts created for one-time usage needs.

-    Utilize FOS password policy management to strengthen the complexity, age, and history requirements of switch account passwords.

Recommended Action

Brocade strongly recommends that all customers running the impacted version(s) install the patch.

Credit

This vulnerability was found during internal security testing.

Revision History

Version

Change

Date

1.0

Initial Publication

May 1, 2017

2.0

Updated to revise FOS assessment

November 17, 2017

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.