Support Content Notification - Support Portal

BSA-2022-2012

Product/Component

Brocade Fabric OS

2 more products

Notification Id

21278

Last Updated

25 July 2022

Initial Publication Date

25 July 2022

Status

Closed

Severity

Low

CVSS Base Score

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - 3.3

WorkAround

N/A

Affected CVE

CVE-2021-27798

Summary

Security Advisory ID : BSA-2022-2012

Component : Brocade Fabric OS

Revision : 1.1: Final

Brocade has received a report from Black Lantern Security of a potential Privileged Directory Traversal vulnerability on Brocade Fabric OS: v7.4.1b, v7.3.1d stating that:

â€œFrom within the restricted shell environment (rbash) as either the â€œuserâ€ or â€œfactoryâ€ account, it is possible to access and list the entirety of the filesystem utilizing the â€œmoreâ€ binary and tab-completion.

This appears to be with root equivalent permissions regardless of who you are logged in asâ€.

The detail provided by the Researcher.

From within the restricted shell environment (rbash) as either the â€œuserâ€ or â€œfactoryâ€ account, it is possible to access and list the entirety of the filesystem utilizing the â€œmoreâ€ binary and tab-completion. This appears to be with root equivalent permissions regardless of who you are logged in as.
To reproduce, in an active SSH session with the affected software, type the command â€œmoreâ€ and press the TAB key until a listing of the current directory is given. Supplying partial paths such as â€œmore /â€ or â€œmore /etc/â€ followed by pressing the TAB key will display that directories full contents.
An attacker gains complete knowledge of the underlying filesystem structure including all available binaries within the userâ€™s PATH environment variable.

Brocade's statement

Brocade Fabric OS: v7.4.1b and v7.3.1d have reached End of Availability (EOA) and are no longer supported. Brocade recommends Customers run supported Brocade software versions.

Brocade Fabric OS Administration Guide documents default users accounts for Brocade Fabric OS actively supported versions.
The Brocade Fabric OS Administration Guide reads: â€œpredefined accounts offered by Fabric OS that are available in the local-switch user database. The password for all default accounts should be changed during the initial installation and configuration of each switch.â€
In all actively supported Brocade Fabric OS versions, users cannot move beyond file systems permission assigned to them; the switch admin can also restrict user access to the switch.
In Brocade Fabric OS 9. x, released June 24th, 2020, Brocade has made architectural changes to prevent using <tab> <tab>.
Customers are advised to refer to the Brocade Product End-of-Life report.

Credit

This issue was found by â€œCody Martinâ€ from Black Lantern Security on Brocade Fabric OS: v7.4.1b, and v7.3.1d.

Revision History

Version	Change	Date
1.0	Initial Publication	Jul 25, 2022
1.1	Add EOL link.	Aug 1, 2022