License forgery in Brocade Fabric OS (FOS) hardware platforms running any version of Brocade Fabric OS software, (CVE-2021-27795)

Brocade Embedded Switches

6 more products

21289

06 December 2023

28 March 2022

CLOSED

MEDIUM

6.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H)

Yes

CVE-2021-27795

Summary

Security Advisory ID : BSA-2022-1758

Component : Brocade Fabric OS License

Revision : 2.0

Brocade Fabric OS (FOS) hardware platforms running any version of Brocade Fabric OS software, which supports the license string format; contain cryptographic issues that could allow for the installation of forged or fraudulent license keys. This would allow attackers or a malicious party to forge a counterfeit license key that the Brocade Fabric OS platform would authenticate and activate as if it were a legitimate license key.

Brocade threat modeling has determined that the use of fraudulent license keys could potentially introduce unexpected behavior within FOS. After decoding a fraudulent license key, additional flags or fields that would not exist within a valid license key could be interpreted by FOS in a way that introduces one or more of the following undesirable behaviors:

  • A switch could be able to install FOS versions not authorized or qualified for the switch, allowing it to improperly configure hardware components creating system issues, corrupting user data, or potentially allowing escalation of privilege.
  • Expose sensitive information on the switch, including user profile information.
  • Allow enablement of unsupported features or illegitimate combinations of features that could result in detrimental impacts to fabric operations and/or end device connectivity.

Brocade PSIRT highly recommends that customers ensure license keys are obtained only from authorized vendors to eliminate the risk of receiving a fraudulent license key. In order for a fraudulent key to be produced, the counterfeiter needs to know unique identifying information from the customer switch including WWNs, Switch Types, FOS version levels, confirmation of other licenses already installed, and the full output of certain CLI show commands. This identifying information is typically provided in plain text e-mail. Identifying information about any specific switch can be used by bad actors to craft specific attacks against the switches that have now been exposed.

When purchasing a license through a legitimate vendor, a customer is typically not required to provide any uniquely identifying information about a switch. Authorized Broadcom vendors provide the customer with a transaction key or license certificate that the customer then uses to obtain the actual license key using a license portal where only the switch WWN or switch License ID is submitted. Licenses obtained in this way through an authorized Broadcom vendor using a license portal on the Broadcom or a partner site are guaranteed to be safe and legitimate, posing no risk to the customer. If a vendor requests any uniquely identifying information about a switch when selling any FOS license keys and you are uncertain as to whether the vendor is a legitimate, authorized Broadcom partner, please contact Broadcom for additional assistance.

Affected Products

The following Brocade hardware platforms and Brocade Fabric OS software versions utilize a license String format to manage license keys.FOS license(s) obtained through unauthorized vendors installed on any of these products are potentially vulnerable as the Brocade Fabric OS software may not be able to detect a fraudulent license key:

  • Brocade X6-8 director running any version of FOS below v9.1.1
  • Brocade X6-8 director (switch type 166.0) running FOS version v9.1.1 or higher
  • Brocade X6-4 director running any version of FOS below v9.1.1
  • Brocade X6-4 director (switch type 165.0) running FOS version v9.1.1 or higher
  • Brocade G630 switch (switch type 173) running any version of FOS
  • Brocade G620 switch (switch type 162) running any version of FOS
  • Brocade G610 switch (switch types 170.0, 170.1, 170.2) running any version of FOS
  • Brocade 6520 switches running any version of FOS
  • Brocade 6510 switches running any version of FOS
  • Brocade 6505 switches running any version of FOS
  • Brocade 7840 extension switch running any version of FOS
  • Brocade 7810 extension switch running any version of FOS
  • Brocade 7800 extension switch running any version of FOS
  • Brocade 300 switches running any version of FOS
  • All Embedded Brocade switches running any version of FOS

Note: The fraudulent license issue described within this advisory does not affect Brocade hardware platforms, running any version of Brocade Fabric OS, utilizing license keys obtained through authorized vendors.

Products Confirmed Not Vulnerable

The following Brocade hardware platforms and Brocade Fabric OS software versions utilize an “XML file” format to manage license keys. These products are not vulnerable to the fraudulent license issue described within this advisory:

  • Brocade X7-8 director running FOS version v9.0.1a or higher
  • Brocade X7-4 director running FOS version v9.0.1a or higher
  • Brocade X6-8 director (switch type 166.5) running FOS version v9.1.1 or higher
  • Brocade X6-4 director (switch type 165.5) running FOS version v9.1.1 or higher
  • Brocade G730 switch running FOS version v9.1.0 or higher
  • Brocade G720 switch running FOS version v9.0.1a or higher
  • Brocade G630 switch (switch type 184) running FOS version v9.0.1a or higher
  • Brocade G620 switch (switch type 183) running FOS version v9.0.1a or higher
  • Brocade G610 switch (switch types 170.4 or 170.5) running FOS version v9.0.1b or higher

Note: Any future Brocade hardware platform released after the posting of this advisory shall utilize the XML file format to manage license keys. These future products will also not be vulnerable to the fraudulent license issue described within this advisory.

No other Brocade Fibre Channel Products from Broadcom are affected by this vulnerability

Solution

Broadcom recommends that customers operating Brocade Fabric OS products only acquire license keys from a trusted vendor.

If you suspect you may have installed an illegitimate license key on a Brocade switch, please contact your Broadcom-authorized support vendor for assistance in safely removing the license key.

Newer generation Brocade Fabric OS products utilize an enhanced cryptographic implementation that is designed to prevent the introduction of fraudulent keys on the system. However, customers that acquire license keys only from trusted vendors will not be exposed to any vulnerabilities.

Revision History

Version Change Date
1.0 Initial Publication March 28, 2022

2.0

update + CVEID

June 15, 2022