A vulnerability classified as critical has been found in Brocade Fabric OS up to 7.4.2c/8.0.2e/8.1.2e/8.2.0. Affected is some unknown processing of the component secryptocfg. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

A vulnerability in the secryptocfg export command of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to bypass the export file access restrictions and initiate a file copy from the source to a remote system.

The bug was discovered 10/29/2018. The weakness was shared 11/08/2018 (Website). The advisory is available at broadcom.com. This vulnerability is traded as CVE-2018-6433 since 01/31/2018. Local access is required to approach this attack. Required for exploitation is a authentication. The technical details are unknown and an exploit is not available.

The vulnerability was handled as a non-public zero-day exploit for at least 10 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 7.4.2d, 8.0.2f, 8.1.2f or 8.2.1 eliminates this vulnerability.

The entries 126595, 126598, 126597 and 126596 are related to this item.

Productinfo

Vendor

• Brocade

Name

• Fabric OS

Version

• 7.4.2a
• 7.4.2b
• 7.4.2c
• 8.0
• 8.0.2a
• 8.0.2b
• 8.0.2c
• 8.0.2d
• 8.0.2e
• 8.1
• 8.1.2a
• 8.1.2b
• 8.1.2c
• 8.1.2d
• 8.1.2e
• 8.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion