Summary

Brocade has become aware of an Expected Behavior Violation vulnerability in OpenSSH releases 7.4 through 9.9. In affected versions of sshd, the DisableForwarding directive does not disable X11 and agent forwarding, which may allow unintended access under certain configurations.

Products Affected

• Brocade SANnav standard deployment versions before 2.4.0b.
• Brocade SANnav OVA deployments before 3.0

Products Confirmed Not Affected

• Brocade ASCG - X11Forwarding is disabled by default in all Brocade ASCG versions.
• Brocade Fabric OS - X11 forwarding is disabled by default In All Supported versions of Brocade Fabric OS

Solution

• Brocade SANnav - Security update provided in SANnav 3.0 for both standard and OVA deployments.
• Brocade SANnav - Security update provided in SANnav 2.4.0b for standard deployment only.

Workaround

• For Brocade SANnav OVA version 2.4.0b
  
  • Mitigation : to mitigate this vulnerability at the OS level, explicitly disable X11 and agent forwarding in your OpenSSH configuration (sshd_config) using:
    • X11Forwarding no
    • AllowAgentForwarding no

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.