A vulnerability, which was classified as critical, has been found in Brocade Fabric OS up to 7.4.2c/8.0.2e/8.1.2e/8.2.0. Affected by this issue is an unknown functionality of the component Command Line Interface. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. CVE summarizes:

A Vulnerability in the secryptocfg command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, and gain root access.

The bug was discovered 10/29/2018. The weakness was released 11/08/2018 (Website). The advisory is shared for download at broadcom.com. This vulnerability is handled as CVE-2018-6435 since 01/31/2018. The attack needs to be approached locally. The successful exploitation needs a simple authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

The vulnerability was handled as a non-public zero-day exploit for at least 10 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 7.4.2d, 8.0.2f, 8.1.2f or 8.2.1 eliminates this vulnerability.

Entries connected to this vulnerability are available at 126595, 126600, 126599 and 126598.

Productinfo

Vendor

• Brocade

Name

• Fabric OS

Version

• 7.4.2a
• 7.4.2b
• 7.4.2c
• 8.0
• 8.0.2a
• 8.0.2b
• 8.0.2c
• 8.0.2d
• 8.0.2e
• 8.1
• 8.1.2a
• 8.1.2b
• 8.1.2c
• 8.1.2d
• 8.1.2e
• 8.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion