CVE-2024-29953
📋 TL;DR
This vulnerability in Brocade Fabric OS web interface exposes encoded session passwords in session storage on Virtual Fabric platforms. It allows authenticated users to view other users' session passwords, potentially enabling privilege escalation. Affected are Brocade SAN switches running vulnerable Fabric OS versions.
💻 Affected Systems
- Brocade SAN switches with Fabric OS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could decode exposed session passwords, impersonate administrators, gain full control of SAN fabric, and potentially access sensitive storage data.
Likely Case
Authenticated users with limited privileges could view encoded passwords of other sessions, potentially enabling lateral movement within the fabric management environment.
If Mitigated
With proper access controls and monitoring, impact is limited to authenticated users who already have some level of access to the management interface.
🎯 Exploit Status
Exploitation requires authenticated access to web interface. Password encoding may require additional decoding steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v9.2.1, v9.2.0b, or v9.1.1d
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23227
Restart Required: Yes
Instructions:
1. Download appropriate firmware version from Broadcom support portal. 2. Backup current configuration. 3. Upload and install firmware via CLI or web interface. 4. Reboot switch after installation completes.
🔧 Temporary Workarounds
Disable web interface
allDisable the vulnerable web interface and use CLI-only management
firmwareDefault
ipAddrSet -disable
Restrict web interface access
allLimit web interface access to trusted management networks only
ipfilter -a -i <interface> -s <trusted_network> -p tcp -d 80,443 -A
🧯 If You Can't Patch
- Implement strict access controls to limit web interface access to authorized administrators only
- Enable detailed logging and monitoring of web interface access and session activities
🔍 How to Verify
Check if Vulnerable:
Check Fabric OS version with 'version' command. If version is earlier than v9.2.1, v9.2.0b, or v9.1.1d, system is vulnerable.Check Version:
versionVerify Fix Applied:
After patching, verify version shows v9.2.1, v9.2.0b, or v9.1.1d or later with 'version' command.📡 Detection & Monitoring
Log Indicators:
- Multiple session accesses from single user
- Unusual session creation patterns
- Access to session storage locations
Network Indicators:
- Multiple HTTP requests to session storage endpoints from single IP
- Unusual traffic patterns to web interface
SIEM Query:
source="brocade_switch" AND (event_type="session_access" OR url="*/session*") | stats count by src_ip, user