BSA-2020-905

Brocade Fabric OS

2 more products

21577

24 January 2020

24 January 2020

Closed

Low

8.2

Yes

CVE-2019-16204

Summary

Security Advisory ID : BSA-2020-905

Component : authentication

Revision : 1.0: Final

Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d could expose external passwords, common secrets or authentication keys used between the switch and an external server.  
When using certain CLI commands in which a password, common secret or authentication key is given as a command line option, the argument provided with the command line option can be captured and saved in the switch CLI History or Audit Log.  The password or secret will not be exposed to any other user of the switch and cannot be viewed by any other user account on the switch including ADMIN.  
However, the password or secret could be visible to a support engineer that has been given a SupportSave from the switch.   

Affected Products

Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d.

Workaround:

Use the CLI in "interactive mode". When using the CLI in "interactive" mode the switch will not store any information provided.
The CLI History and Audit Log will only retain additional arguments when they are provided as a command line option.

Solution:

A security update has been provided in Brocade Fabric OS versions v7.4.2f, v8.2.2a, v8.1.2j, and v8.2.1d.  
All later versions of Brocade Fabric OS including all Brocade Fabric OS v.9.X releases also contain this same security update.
Brocade strongly recommends that all customers running the impacted version(s) upgrade to one of the identified patch levels or a higher  version of Brocade Fabric OS to obtain the Security update.

Revision History

Version

Change

Date

1.0

Initial Publication

January 24, 2020