BSA-2022-2075

Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools user to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin, can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator’s authorization header.

A solution provided in Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c provides a configurable option to “disable” access for all non-admin users.

This configuration option does not impact REST and CLI interfaces, and non-Admin users may continue to use CLI or REST to access the switch.

In a future major release, architectural changes will allow non-admin users access through Webtools and HTML interfaces without exposure to this vulnerability.

Affected Product

All versions of Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c