Support Content Notification - Support Portal

Fabric OS versions prior to v9.0 have default community strings (CVE-2024-5460)

Product/Component

Brocade Directors

2 more products

Notification Id

24409

Last Updated

29 May 2024

Initial Publication Date

29 May 2024

Status

CLOSED

Severity

HIGH

CVSS Base Score

8.1 High: CVSS: 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

WorkAround

Affected CVE

CVE-2024-5460

Brocade Security Advisory ID	BSA-2024-2596
Component	SNMPv1

Summary

A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device.

Products Affected

Brocade Fabric OS versions prior to v9.0.0 that continue to run with the default SNMP community string and SNMPv1 enabled.

Brocade Directors and Switches that were originally shipped with a version of Brocade Fabric OS prior to v9.0.0 that have not had their default community strings updated, and continue to have SNMPv1 enabled even after upgrading to a Fabric OS version v9.0.0 or later.

Products Confirmed Not Affected

Brocade Directors and Switches that were shipped with Brocade v9.0.0 or later versions of Fabric OS.

Detail

SNMPv1 remains a configurable option to support legacy customer environments. The administrator controls SNMPv1 usage and can fully disable the use of SNMPv1 if it is not required within the customer environment.

Default community strings and SNMPv1 are both disabled by default, starting with Fabric OS v9.0.0.

Solution

For supported Brocade Fabric OS versions v8.2.3x firmware that still contains default community strings, the following remediation steps should be followed:

Clear the default community strings by using “snmpconfig –default snmpv1”
Disable SNMPv1 if not required within the customer environment

The above recommendations and configuration steps are documented within the Brocade Fabric OS administration and command reference guides. For further assistance, please contact your Service Provider.

Credit

The issue was found and corrected by Brocade
Pierre Barre also reported the issue to Brocade

Revision History

Version	Change	Date
1.0	Initial Publication	May 28th, 2024
2.0	Added additional detail about the issue, provided clarity around switches upgraded to v9.x	May 29th, 2024

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.