Support Content Notification - Support Portal

SNMP passwords in clear text if password encryption is not configured

Product/Component

Brocade Directors

5 more products

Notification Id

24610

Last Updated

03 September 2024

Initial Publication Date

30 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

5.1 - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

WorkAround

Affected CVE

CVE-2024-5462

Brocade Security Advisory ID	BSA-2024-2678
Component	SNMP

Summary

If FOS configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.

Products Affected

All versions of Brocade FabricOS

Products Not Affected

Brocade SANnav [VEX Justification: Vulnerable_code_not_present]

Brocade ASCG [VEX Justification: Vulnerable_code_not_present]

Remediation

Administrators should ensure that SNMP password encryption is enabled by using the following CLI command:

snmpconfig --set snmpv3 -enable passwd_encryption

The state of the SNMP password encryption can always be confirmed by using the following CLI command:

snmpconfig --show snmpv3

And then looking at the SNMPv3 user password encryption flag setting

SNMP Informs = 0 (OFF)

SNMPV3 user password encrypted = 1 (ON)

SNMPv3 USM configuration:

User 1 (ro): admin

…

Brocade switches shipped from the factory with FOS v9.2.0 and later versions will have the SNMPv3 user password encryption enabled by default.

Brocade switches that were shipped from the factory with versions of Brocade Fabric OS prior to v9.2.0 have the SNMPv3 user password encryption disabled by default. Upgrading to newer versions of Brocade Fabric OS will not cause this setting to change. The administrator must actively enable the password encryption as described above.

A reset to factory defaults with Brocade Fabric OS v9.2.0 and later versions will set the SNMPv3 user password encryption to enabled, however, a reset to factory defaults with versions prior to Brocade Fabric OS v9.2.0 will set the SNMPv3 user password encryption to disabled.

Firmware upgrades and downgrades, power cycles and reboots will not affect the setting of this configuration variable.

The recommendation is to change SNMP authpassword / privpassword after enabling SNMPv3 password encryption as these secrets could have been previously exposed or may have been previously captured within an internal log that could be exposed on the next Supportsave capture.

snmpconfig --set snmpv3 -index <index> {[-user <user_name>] [-groupname {ro | rw}] [-auth_proto <auth_protocol> -auth_passwd <auth_password> [-priv_proto <priv_protocol> -priv_passwd <priv_password>]] [-engine_id <engine_id>]}

Revision History

Version	Change	Date
1.0	Initial Publication	July 30, 2024
1.1	Corrected small typo	September 3, 2024

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.