Summary

Security Advisory ID : BSA-2021-1722

Component : hard-coded credentials

Revision : 1.0

Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions of Brocade Fabric OS v8.0.x and v7.x contain documented hard-coded credentials, which could allow attackers to gain access to the system.

Brocade details “Default Accounts” with default password “password” in the Brocade Fabric OS Administration guide. The Brocade Fabric OS Administration guide documents that a Brocade switch automatically prompts changing the default account passwords after logging in for the first time.

Affected Products

Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions Brocade Fabric OS v8.0.x and v7.x.

Products Confirmed Not Vulnerable

Brocade Fabric OS v9.0.0 and later are not impacted.

Workaround

Brocade Fabric OS Administration Guide mandates changing "default Account Password”. Customers running all versions of Brocade Fabric OS versions must change the default passwords for these accounts.

Solution

As part of “SB-327 Information privacy: connected devices” compliance, Brocade enhanced the Brocade Fabric OS login prompt for default passwords. A switch admin can no longer bypass the default password change prompt and must choose a non-default password.

The enforcement of mandatory password change was effective in Brocade Fabric OS versions Brocade Fabric OS v.9.0.0, v8.2.1c, v8.1.2h, and higher versions. Brocade recommends upgrading to these versions or later to receive the security update.

Credit

“Cody Martin” from Black Lantern Security has reported this issue in Brocade Fabric OS: v7.4.1b, and v7.3.1d.

Note:

Brocade Fabric OSv7.4.1b and v7.3.1d have reached End of Availability (EOA) and are no longer supported. Brocade also recommends customers run supported Brocade software versions.

Revision History