Summary

Security Advisory ID: BSA-2022-2121

Component: EZServer

Revision: 2.1

A vulnerability in Brocade Fabric OS software v9.1.1, v9.0.1e, v8.2.3c, v7.4.2j, and earlier versions could allow a remote unauthenticated attacker to execute on a Brocade Fabric OS switch commands capable of modifying zoning, disabling the switch, disabling ports, and modifying the switch IP address.

The vulnerability is due to the Brocade EZswitch software server embedded in the Brocade Fabric OS.

Brocade EZswitch is an external tool that enables SAN administrators to configure and manage single-switch fabrics from a standard workstation using a simple graphical user interface (GUI) wizard.

This tool is used only at initial switch configuration and is not required during normal operation once new factory switches have been configured.

Products Affected

Brocade Fabric OS versions v9.1.1, v9.0.1e, v8.2.3c, v7.4.2j, and earlier versions are affected.

Products Confirmed Not Affected

No other Brocade Fibre Channel products are affected.

Solution

Broadcom recommends that customers immediately apply one of the remediation steps below to disable the EZServer and block all commands through this interface.   

To further remediate the issue, the Brocade EZServer module is completely removed from all future Brocade FOS releases, effectively ending support for EZSwitch.

Brocade has also removed EZSwitch from its download center to limit any further distribution of this tool.

Remediation

To remove any exposure to this vulnerability, Brocade Fabric OS (FOS) switch administrators must disable EZServer support or upgrade to a version of Brocade Fabric OS that has the EZServer module removed

Disabling EZServer is accomplished through the use of the CLI command configurechassis.  Disabling the EZServer in the switch configuration will prevent any exposure to this vulnerability.   This option is only available on Brocade Fabric OS versions v8.1.0b and higher.  Customers running on older versions of Brocade Fabric OS, including v7.4.2j, do not have this option and must upgrade to Brocade Fabric OS v7.4.2j1 to protect their switches.

Customers that elect to upgrade their Brocade Fabric OS version can obtain a patch with the EZServer module removed:

• Brocade Fabric OS v9.1.1_01 and higher versions
• Brocade Fabric OS v9.0.1e1 and higher versions
• Brocade Fabric OS v8.2.3c1 and higher versions
• Brocade Fabric OS v7.4.2j1 and higher versions

These patches can be obtained from their standard support customer portal or by contacting their support organization.   

Example showing how to disable the EZServer module:

brocadeswitch:admin> configurechassis

Configure...

cfgload attributes (yes, y, no, n): [no]

ssl attributes (yes, y, no, n): [no]

webtools attributes (yes, y, no, n): [no] y

...

Login Session Timeout (in secs): (60..432000) [7200]

EZserver Enabled (yes, y, no, n): [yes] no

...

brocadeswitch:admin >

Notes:

The following actions will re-enable EZServer on Brocade Fabric OS versions that do not have the EZServer module entirely removed

o firmwarecleaninstall

o config removall

o configdefault

o factory reset

Credit.

• This issue was found internally.
• Pierre Barre also reported the issue after it was already addressed by Brocade

Revision History