Knowledge of full path name

Vulnerability

Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 contain a command injection vulnerability that allows an authenticated, local user with knowledge of full path names inside the system to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled, but the vulnerability bypasses this restriction. This issue is identified in the Broadcom security advisory BSA-2023-2325 [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated local access to the Brocade Fabric OS and knowledge of full path names within the system. The attacker does not require root privileges; the vulnerability allows command execution beyond the user's assigned privilege level. The exact attack vector involves leveraging the path name knowledge to execute arbitrary commands, though specific steps are not publicly detailed [1].

Impact

Successful exploitation enables an authenticated local user to execute any command on the affected Brocade Fabric OS, effectively bypassing the privilege restrictions. This can lead to full compromise of the system, including unauthorized data access, system configuration changes, and potential denial of service. The integrity and confidentiality of the system are at high risk [1].

Mitigation

Brocade has released security updates in Fabric OS version 9.1.1c and 9.2.0 to address this vulnerability. Users should upgrade to these fixed versions immediately. No workarounds are documented. The issue was discovered through internal penetration testing, and the advisory was published on August 1, 2023 [1].