Summary

Security Advisory ID : BSA-2020-1077

Component : HTTP management interface

Revision : 2.0

Host Header Injection vulnerability in the http management interface in Brocade Fabric OS versions before  v9.0.0, v8.2.3 could allow a remote attacker to exploit this vulnerability by injecting arbitrary HTTP headers, which could allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, Password reset or session hijacking.

Note: There is no impact on the operation of the switch or to any Fibre Channel traffic.   This exploit only impacts the management access through HTTP.

Affected Products

Brocade Fabric OS versions before v9.0.0, and v8.2.3.

Product Confirmed Not Vulnerable

• Analysis is in progress for Brocade Fabric OS v7.4.x
• No other Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Solution

A security update has been provided in Brocade Fabric OS versions v9.0.0, and v8.2.3. 

All later versions of Brocade Fabric OS, including all FOS 9.X releases, will also contain this same security update.

Workaround

Minimizing exposure to this vulnerability can be done by the following means:

• Using firewall and ipfilter to limit access to management interface from trusted hosts only;
• clear browser cache

Credit

This issue was discovered through security testing.

Revision History