BSA-2021-1722
21309
16 February 2022
16 February 2022
Closed
Low
CVSS Score 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Yes
CVE-2021-27797
Summary Security Advisory ID : BSA-2021-1722 Component : hard-coded credentials Revision : 1.0
Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions of Brocade Fabric OS v8.0.x and v7.x contain documented hard-coded credentials, which could allow attackers to gain access to the system.
Brocade details “Default Accounts†with default password “password†in the Brocade Fabric OS Administration guide. The Brocade Fabric OS Administration guide documents that a Brocade switch automatically prompts changing the default account passwords after logging in for the first time.
Affected Products
Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions Brocade Fabric OS v8.0.x and v7.x.
Products Confirmed Not Vulnerable
Brocade Fabric OS v9.0.0 and later are not impacted.
Workaround
Brocade Fabric OS Administration Guide mandates changing "default Account Passwordâ€. Customers running all versions of Brocade Fabric OS versions must change the default passwords for these accounts.
Solution
As part of “SB-327 Information privacy: connected devices†compliance, Brocade enhanced the Brocade Fabric OS login prompt for default passwords. A switch admin can no longer bypass the default password change prompt and must choose a non-default password.
The enforcement of mandatory password change was effective in Brocade Fabric OS versions Brocade Fabric OS v.9.0.0, v8.2.1c, v8.1.2h, and higher versions. Brocade recommends upgrading to these versions or later to receive the security update.
Credit
“Cody Martin†from Black Lantern Security has reported this issue in Brocade Fabric OS: v7.4.1b, and v7.3.1d.
Note:
Brocade Fabric OSv7.4.1b and v7.3.1d have reached End of Availability (EOA) and are no longer supported. Brocade also recommends customers run supported Brocade software versions.
Revision History
Version | Change | Date |
---|---|---|
1.0 | Initial Publication | February 14, 2022 |