Summary

Application User accounts with Brocade ASCG application privileges created by the administrator are not properly being password enforced. Any other user that learns of the assigned user name can access the custom created application manager account and gain access to the Brocade ASCG application. This unauthorized user can then perform ASCG operations related to BSL and streaming configuration. and could even disable the Brocade ASCG application or disable use of BSL data collection on switches within the fabric.

Products Affected

• Brocade ASCG version 3.4.0

Products Not Affected

• Brocade Fabric OS
  [VEX Justification: Component_not_present]
• Brocade SANnav
  [VEX Justification: Component_not_present]
• Brocade ASCG versions before 3.4.0
  [VEX Justification: Code_not_present]

Work-Around

• Disable any Application User  accounts on ASCG version 3.4.0
• Use one or more of the other authentication methods for ASCG:
  • LDAP: LDAP authentication is managed via an external LDAP Server.
  • OS: OS authentication is performed against the underlying Host Operating System.
  • FA: Federated Authentication is managed via an external IDP Server. 

Solution

• Solution provided in Brocade ASCG version 3.4.0a

Credit

• The vulnerability was discovered during internal testing.

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.