CVE-2022-28169 - Brocade Fabric OS Privilege Escalation Vulnerability (BSA-2022-2075)

Brocade Fabric OS

2 more products

21238

05 August 2023

13 September 2022

CLOSED

HIGH

Base Score: 7.3 HIGH - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

N/A

CVE-2022-28169

Summary

Security Advisory ID : BSA-2022-2075

Component : Webtools

Revision : 3.1

Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools user to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin, can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header.

A solution provided in Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c provides a configurable option to "disable" access for all non-admin users.

This configuration option does not impact REST and CLI interfaces, and non-Admin users may continue to use CLI or REST to access the switch.

In Brocade Fabric OS version v9.2.0, architectural changes allows non-admin users access through Webtools and HTML interfaces without exposure to this vulnerability.

Affected Product

All versions of Brocade Fabric OS before Brocade Fabric OS v9.2.0

A configuration option has been introduced in Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c to prevent exposure to this vulnerability

Products Confirmed Not Vulnerable

No other Brocade Fibre Channel Products from Broadcom products are known to be affected by this vulnerability.

Solution

  • Workaround
    • A security update to provide an option to disable access for non-admin users was provided in Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c.   This configuration option is not activated by default and must be configured by the switch admin using the "configurechassis" CLI command:

admin> configurechassis

Configure...

  cfgload attributes (yes, y, no, n): [no]
  ssl attributes (yes, y, no, n): [no]
  webtools attributes (yes, y, no, n): [no] y

        Login Session Timeout (in secs): (60..432000) [7200]
        Non Admin user enabled (yes, y, no, n): [yes] no

  Custom attributes (yes, y, no, n): [no]

  • A Security update is provided in Brocade FabricOS version v9.2.0 via an architectural change to allow non-admin users access through Webtools and HTML interfaces without exposure to this vulnerability.

Credit

Revision History

Version

Change

Date

1.0

Initial Publication

Sept 13, 2022

2.0

Updated Solution

March 9, 2023

3.0

Provided details on configuration solution March 16, 2023

3.1

Provided detail for FOS v9.2.0 August 1, 2023