CVE-2020-15373
📋 TL;DR
Multiple buffer overflow vulnerabilities in the REST API of Brocade Fabric OS allow remote unauthenticated attackers to execute arbitrary code or cause denial of service. This affects Brocade SAN switches running vulnerable Fabric OS versions. Attackers can exploit these vulnerabilities without authentication.
💻 Affected Systems
- Brocade SAN switches with Fabric OS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the SAN environment.
Likely Case
Denial of service attacks disrupting SAN operations, potentially leading to business-critical storage outages.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to REST API endpoints.
🎯 Exploit Status
Buffer overflow vulnerabilities in network services are commonly weaponized. The unauthenticated nature makes exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.2.2c and later for 8.2.2 branch; v8.2.1e and later for 8.2.1 branch
Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2020-1082
Restart Required: Yes
Instructions:
1. Download appropriate firmware from Broadcom support portal. 2. Backup current configuration. 3. Apply firmware update following vendor documentation. 4. Reboot switch to activate new firmware. 5. Verify version after reboot.
🔧 Temporary Workarounds
Disable REST API
allDisable the vulnerable REST API service if not required for operations
firmwaredefaults --restapi disable
reboot
Restrict Network Access
allImplement strict network access controls to limit access to REST API endpoints
Use firewall rules to restrict access to switch management IP on port 80/443
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAN switches from untrusted networks
- Disable REST API service entirely if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check Fabric OS version with 'version' command. If version is between v8.2.1-v8.2.1d or v8.2.2 before v8.2.2c, system is vulnerable.Check Version:
versionVerify Fix Applied:
After patching, verify version is v8.2.2c or later (for 8.2.2 branch) or v8.2.1e or later (for 8.2.1 branch)📡 Detection & Monitoring
Log Indicators:
- Unusual REST API access patterns
- Multiple failed buffer overflow attempts in system logs
- Unexpected process crashes or restarts
Network Indicators:
- Unusual traffic to switch REST API endpoints (typically port 80/443)
- Malformed HTTP requests to /rest/ endpoints
SIEM Query:
source="brocade_switch" AND (http_request LIKE "%rest%" AND (status_code=500 OR bytes_received>threshold))