Summary

A vulnerability in Brocade Fabric OS versions before 9.2.2 could allow man-in-the-middle attackers to conduct remote Service Session Hijacking that may arise from the attacker's ability to forge an SSH key while the Brocade Fabric OS Switch is performing various remote operations initiated by a switch admin. 

Detail:

The option StrictHostKeyChecking is a security feature that affects how SSH verifies the identity of a remote computer when connecting to it. When this option is enabled, the client will automatically reject any key from the server that does not match the one stored in its known_hosts file. This helps protect against man-in-the-middle attacks, where an attacker may attempt to impersonate the server by providing a different host key.

Historically, StrictHostKeyChecking has not been enabled within the Brocade Fabric OS as multiple prerequisite conditions must exist prior to a successful exploit. The man-in-the-middle attacker must have already gained an initial foothold in the customer network, and installed a rogue secure remote services server inside the customer network, or have compromised an existing server in the customer network. 

Should such a successful network attack be accomplished, then the attacker could take advantage of FOS not employing StrictHostKeyChecking to perform one of the following attacks after a switch admin executes one of the following remote operations:

• Firmware download

The attacker could load an older valid version of Brocade Fabric OS firmware than intended, which could cause some features to disappear or introduce security vulnerabilities, which the attacker could exploit.

• Config upload

The attacker could gain knowledge of zoning or other configuration setting on the Brocade Fabric OS switch.

• Config download

The attacker could modify the zoning configuration and other switch configuration settings, impacting the switch's ability to communicate in the fabric.

• Supportsave 

The attacker could intercept the “supportsave” and read “supportdata”. There is no user data, passwords or other secrets in the support data.

• Download certificate.

The attacker could download different certificates in the switch, breaking valid communication with other servers.

Note: During the above operations, the Brocade switch will send legitimate credentials to the impersonated server, exposing the valid server’s credentials.

Solution:

Brocade has added a command that allows Brocade Fabric OS switch admins to enable/disable “StrictHostKeyChecking”

Enable strict host key checking using the “sshutil” CLI:

• sshutil stricthostkeycheck -value yes

Disable strict host key checking using the “sshutil” CLI:

• sshutil stricthostkeycheck -value no

Verify the current configuration using “sshutil” CLI:

• sshutil stricthostkeycheck -show

Upgrade/Downgrade Behavior:

• Brocade Fabric OS switches shipped from the factory with FOS 9.2.2 will have the check enabled by default.
• Brocade Fabric OS switches upgraded from pre-FOS 9.2.2 to FOS 9.2.2 will continue to have “StrictHostKeyChecking” disabled. To enable, use configuration CLI shown below or reset all active security default settings: 

• • sshutil stricthostkeycheck -value yes

OR

• • factoryreset --set securitydefault

Note: The factory reset to security defaults will change all security settings to pre-defined strong security values.  This could interrupt access to the switch.

Products Affected

• All Brocade Fabric OS versions prior to Fabric OS version 9.2.2

Products Not Affected

• Brocade ASCG is not affected by this vulnerability
• Brocade SANnav is not affected by this vulnerability

About Brocade Risk Rating: MEDIUM

Vulnerabilities that are less easily exploited based on a technical evaluation of the flaw, authentication requirements, physical access and/or affect unlikely configurations. 

Credit

• Pierre Barre reported the issue to Brocade

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.