IBMDAFDF97340BBCC60AE23497ADA7871B1DEB1B679B001F0371FDE805F3DD32ABCSecurity Bulletin: Brocade Fabric OS (FOS) Advisory vulnerabilities affect Brocade 8Gb SAN Switch Module for BladeCenter and IBM Flex System FC5022 16Gb SAN Scalable Switch
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
0.004 Low
EPSS
Percentile
74.1%
Summary
The following Brocade Fabric OS (FOS) vulnerabilities have been addressed by Brocade 8Gb SAN Switch Module for BladeCenter and IBM Flex System FC5022 16Gb SAN Scalable Switch.
Vulnerability Details
CVEID: CVE-2018-6442 DESCRIPTION: Broadcom Brocade Fabric OS could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the Brocade Webtools firmware update section. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152758> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-6441 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to bypass security restrictions, caused by a flaw in the Secure Shell implementation. By sending a specially-crafted argument, an attacker could exploit this vulnerability to provide arbitrary environment variables and bypass the restricted configuration shell.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152757> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-6440 DESCRIPTION: Broadcom Brocade Fabric OS could allow a remote attacker to obtain sensitive information, caused by a flaw in the proxy service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base Score: 7.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152909> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)
CVEID: CVE-2018-6439 DESCRIPTION: Broadcom Fabric OS could allow a local attacker to bypass security restrictions, caused by a flaw in the configdownload command in the command line interface. By sending a specially-crafted request, an attacker could exploit this vulnerability to escape the restricted shell and gain root access.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153836> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-6438 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the supportsave command by the command line interface (CLI). By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain root shell access.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152800> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-6437 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the help command by the command line interface (CLI). By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain root shell access.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152799> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-6436 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the firmwaredownload command by the command line interface (CLI). By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain root shell access.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152798> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-6435 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the secryptocfg command. By sending specially-crafted arguments, an attacker could exploit this vulnerability to escape the restricted shell and gain root access.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152756> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-6434 DESCRIPTION: Broadcom Brocade Fabric OS could could allow a remote attacker to hijack a user’‘s session. By persuading a victim to click on a specially-crafted Web site, an attacker could exploit this vulnerability using the web management interface to gain access to another user’'s session.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152755> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2018-6433 DESCRIPTION: Broadcom Brocade Fabric OS could allow a local attacker to bypass security restrictions, caused by a flaw in the ecryptocfg export command. By sending a specially-crafted argument, an attacker could exploit this vulnerability to perform arbitrary file copy from source to a remote system.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152752> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
Product
|
Affected Version
—|—
IBM Flex System FC5022 16Gb SAN Scalable Switch Firmware
| 8.0
Fabric OS firmware for Brocade 8Gb SAN Switch Module |
7.4
Remediation/Fixes
Product
|
Fixed Version
—|—
IBM Flex System FC5022 16Gb SAN Scalable Switch Firmware
(brcd_fw_bcsw_8.2.1_anyos_noarch)
| 8.2.1
Fabric OS firmware for Brocade 8Gb SAN Switch Module
(brcd_fw_bcsw_7.4.2d_anyos_noarch)
|
7.4.2d
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| pureflex system & flex system | eq | any |
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
0.004 Low
EPSS
Percentile
74.1%