An information disclosure in the web interface of Brocade Fabric OS

Vulnerability

An information disclosure vulnerability exists in the web interface of Brocade Fabric OS versions before 8.2.3e, 9.1.1c, and 9.2.0. The flaw allows a remote unauthenticated attacker to retrieve technical details about the web interface, such as configuration or version information, by sending crafted requests. The issue was discovered during internal penetration testing and affects the Brocade Webtools component [1].

Exploitation

An attacker with network access to the affected Brocade Fabric OS web interface can exploit this vulnerability without any authentication. By sending specially crafted HTTP requests to the web interface, the attacker can obtain technical details that are normally not exposed to unauthenticated users. No user interaction or special privileges are required [1].

Impact

Successful exploitation results in information disclosure, revealing technical details about the web interface. This could include version numbers, configuration parameters, or other internal data that may aid in further attacks. The confidentiality of the system is compromised, but there is no direct impact on integrity or availability [1].

Mitigation

Broadcom has released security updates to address this vulnerability. Users should upgrade to Brocade Fabric OS 8.2.3e, 9.1.1c, or 9.2.0 or later. No workarounds are documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].