CVE-2024-5460
📋 TL;DR
A vulnerability in Brocade Fabric OS allows authenticated remote attackers to read device data via SNMP using hard-coded default community strings. This affects Brocade Fabric OS versions before v9.0.0 with default SNMP configurations. Attackers can exploit this to gather sensitive information from affected storage area network switches.
💻 Affected Systems
- Brocade Fabric OS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive configuration data, network topology information, and potentially obtain credentials or other secrets stored on the device, leading to full network compromise.
Likely Case
Attackers will gather network configuration details, device information, and potentially use this as reconnaissance for further attacks against the storage network infrastructure.
If Mitigated
With proper SNMP community string changes and network segmentation, impact is limited to information disclosure of non-sensitive device data.
🎯 Exploit Status
Exploitation requires knowledge of the hard-coded community string and SNMP v1 access to the device. SNMP scanning tools can easily detect and exploit this.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v9.0.0 or later
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24409
Restart Required: Yes
Instructions:
1. Upgrade to Fabric OS v9.0.0 or later. 2. Apply the firmware update following Broadcom's upgrade procedures. 3. Verify SNMP configuration after upgrade. 4. Restart the switch to apply changes.
🔧 Temporary Workarounds
Change SNMP Community Strings
allModify default SNMP community strings to strong, unique values
snmpConfig --set snmpv1 -c "new_community_string"
snmpConfig --set snmpv1 -r "new_read_string"
Disable SNMP v1
allDisable vulnerable SNMP version 1 protocol
snmpConfig --disable snmpv1
🧯 If You Can't Patch
- Implement network segmentation to restrict SNMP access to trusted management networks only
- Deploy network monitoring to detect SNMP scanning and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if SNMP v1 is enabled with default community strings using 'snmpConfig --show' commandCheck Version:
versionVerify Fix Applied:
Verify Fabric OS version is v9.0.0 or later and SNMP community strings have been changed from defaults📡 Detection & Monitoring
Log Indicators:
- SNMP authentication failures
- Multiple SNMP queries from unauthorized sources
- SNMP v1 protocol usage
Network Indicators:
- SNMP v1 traffic to Brocade switches
- SNMP queries using default community strings
- UDP port 161 traffic from unexpected sources
SIEM Query:
source_ip:* destination_port:161 protocol:UDP AND (community_string:"public" OR community_string:"private")