SNMP passwords in clear text if password encryption is not configured. (CVE-2024-5462)
24610
14 February 2025
30 July 2024
CLOSED
MEDIUM
5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVE-2024-5462
|
Brocade Security Advisory ID |
BSA-2024-2678 |
|
Component |
SNMP |
|
CWE-319 |
Cleartext Transmission of Sensitive Information |
|
|
|
Summary
If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.
Products Affected
All versions of Brocade FabricOS
Products Not Affected
Brocade SANnav [VEX Justification: Vulnerable_code_not_present]
Brocade ASCG [VEX Justification: Vulnerable_code_not_present]
Remediation
Administrators should ensure that SNMP password encryption is enabled by using the following CLI command:
snmpconfig --set snmpv3 -enable passwd_encryption
The state of the SNMP password encryption can always be confirmed by using the following CLI command:
snmpconfig --show snmpv3
And then looking at the SNMPv3 user password encryption flag setting
SNMP Informs = 0 (OFF)
SNMPV3 user password encrypted = 1 (ON)
SNMPv3 USM configuration:
User 1 (ro): admin
…
Brocade switches shipped from the factory with Brocade Fabric OS 9.2.0 and later versions will have the SNMPv3 user password encryption enabled by default.
Brocade switches that were shipped from the factory with versions of Brocade Fabric OS prior to 9.2.0 have the SNMPv3 user password encryption disabled by default. Upgrading to newer versions of Brocade Fabric OS will not cause this setting to change. The administrator must actively enable the password encryption as described above.
A reset to factory defaults with Brocade Fabric OS 9.2.0 and later versions will set the SNMPv3 user password encryption to enabled, however, a reset to factory defaults with versions prior to Brocade Fabric OS 9.2.0 will set the SNMPv3 user password encryption to disabled.
Firmware upgrades and downgrades, power cycles and reboots will not affect the setting of this configuration variable.
The recommendation is to change SNMP authpassword / privpassword after enabling SNMPv3 password encryption as these secrets could have been previously exposed or may have been previously captured within an internal log that could be exposed on the next Supportsave capture.
snmpconfig --set snmpv3 -index <index> {[-user <user_name>] [-groupname {ro | rw}] [-auth_proto <auth_protocol> -auth_passwd <auth_password> [-priv_proto <priv_protocol> -priv_passwd <priv_password>]] [-engine_id <engine_id>]}
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
July 30, 2024 |
|
1.1 |
Corrected small typo |
September 3, 2024 |
|
2.0 |
Added CWE |
February 14, 2025 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.