Summary

Security Advisory ID : BSA-2020-906

Component : authentication

Revision : 1.0: Final

Brocade Fabric OS Versions before v8.2.2a and v8.2.1d could expose the credentials of the remote ESRS server when these credentials are given as a command line option when configuring the ESRS client.
The arguments provided as a command line option can be captured and saved in the switch CLI History or Audit Log.
The server credentials will not be exposed to any other user of the switch and cannot be viewed by any other user account on the switch including ADMIN. However, the server credentials could be visible to a support engineer that has been given a SupportSave from the switch.

Notes
The ESRS Client is only available in Brocade Fabric OS versions above v8.2.0.
The ESRS Client is not enabled by default and must be setup before this vulnerability applies.

Affected Products

Brocade Fabric OS Versions before v8.2.2a, and v8.2.1d.

No other Brocade Fiber Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Workaround:

Use the CLI in "interactive mode". When using the CLI in "interactive" mode the switch will not store any information provided.
The CLI History and Audit Log will only retain additional arguments when they are provided as a command line option.

Solution:

A security update has been provided in Brocade Fabric OS versions v8.2.2a, and v8.2.1d.  
All later versions of Brocade Fabric OS including all Brocade Fabric OS v.9.X releases also contain this same security update.
Brocade strongly recommends that all customers running the impacted version(s) upgrade to one of the identified patch levels or a higher version of Brocade Fabric OS to obtain the Security update.

Credit

Brocade is grateful to Thorsten Tüllmann for reporting this vulnerability.

Revision History