CVE-2023-3489
📋 TL;DR
This vulnerability exposes FTP/SFTP/SCP server passwords in clear text within SupportSave files when downgrading from Brocade Fabric OS v9.2.0 to earlier versions. Anyone performing such downgrades on affected systems risks credential exposure. The vulnerability affects Brocade SAN switch administrators and operators.
💻 Affected Systems
- Brocade Fabric OS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to the SupportSave file and extract FTP/SFTP/SCP credentials, potentially compromising file transfer servers and enabling lateral movement to other systems.
Likely Case
Unauthorized personnel with access to SupportSave files can view sensitive credentials, leading to credential theft and potential unauthorized access to file transfer infrastructure.
If Mitigated
With proper access controls and monitoring, credential exposure is limited, but the clear text logging still represents an information disclosure risk.
🎯 Exploit Status
Exploitation requires access to SupportSave files, which typically requires some level of system access or file retrieval capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v9.2.1 or later
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22510
Restart Required: Yes
Instructions:
1. Download Fabric OS v9.2.1 or later from Broadcom support portal. 2. Upload firmware to switch using secure method. 3. Install firmware using 'firmwareDownload' command. 4. Reboot switch to complete installation.
🔧 Temporary Workarounds
Avoid downgrade operations
allDo not perform downgrades from Fabric OS v9.2.0 to earlier versions. If downgrade is necessary, use alternative methods that don't involve the vulnerable firmwaredownload command.
Secure SupportSave file access
allRestrict access to SupportSave files using file system permissions and ensure they are stored in secure locations with limited access.
🧯 If You Can't Patch
- Monitor access to SupportSave files and alert on unauthorized access attempts.
- Rotate FTP/SFTP/SCP credentials used with the firmwaredownload command regularly.
🔍 How to Verify
Check if Vulnerable:
Check Fabric OS version using 'version' command. If version is v9.2.0 and downgrade operations have been performed, check SupportSave files for clear text passwords.Check Version:
versionVerify Fix Applied:
After upgrading to v9.2.1 or later, verify version with 'version' command and test that passwords are no longer logged in clear text during downgrade operations.📡 Detection & Monitoring
Log Indicators:
- Access to SupportSave files
- firmwaredownload command execution with authentication parameters
- Unauthorized file access attempts
Network Indicators:
- Unexpected FTP/SFTP/SCP connections from switch management IPs
SIEM Query:
source="brocade_switch" AND (event="firmwaredownload" OR file_access="SupportSave")🔗 References
- https://security.netapp.com/advisory/ntap-20231124-0003/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22510
- https://security.netapp.com/advisory/ntap-20231124-0003/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22510
