Release Notes
Closed with Code Change in Fabric OS v7.2.1d
Fabric OS v7.2.1e Release Notes v1.0 Page 43 of 82
Defect ID:
DEFECT000529761
Technical Severity:
High
Probability:
Medium
Product:
FOS
Technology:
Security
Reported In Release:
FOS6.3.0
Technology Area:
Security Vulnerability
Symptom:
Bash shell security vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-
7187). These vulnerabilities allows certain malformed function definition to bypass privilege
boundaries and execute unauthorized commands.
Condition:
To exploit these vulnerabilities in FOS requires access to the CLI interface after user authentication
through console, Telnet, and SSH connections. An authenticated user account could exploit this bug
to gain privileges beyond the permission granted to this account, such as executing commands with
root privilege.
Workaround:
Place switch and other data center critical infrastructure behind firewall to disallow access from
the Internet; Change all default account passwords; Delete guest accounts and temporary accounts
created for one-time usage needs; Utilize FOS password policy management to strengthen the
complexity, age, and history requirements of switch account passwords. Upgrading to a FOS
version including this fix prevents exposures to the four CVEs noted in the defect Symptom. In
addition, exposures to CVE-2014-6277 and CVE-2014-6278 are prevented.
Defect ID:
DEFECT000532108
Technical Severity:
Medium
Probability:
Medium
Product:
FOS
Technology:
Security
Reported In Release:
FOS6.4.3_dcb
Technology Area:
Security Vulnerability
Symptom:
Security vulnerability CVE-2014-3566 makes it easier for man-in-the-middle attackers to obtain
cleartext data via a padding-oracle attack,
Condition:
Following are the conditions that customers of Brocade SAN products could be exposed to this
vulnerability:
• An end user must use a web browser to access the FOS WebTools interface or use other
HTTP clients such as Brocade Network Adviser to manage the switch.
• A web browser or other HTTP client must support SSL protocol 3.0.
• An intruder has to interject between an HTTP client and a SAN switch.
• An intruder has to spend time monitoring the request-response formats to gain knowledge of
the system operations. Total of 256 SSL 3.0 requests are required to decrypt one byte of HTTP
cookies.
Workaround:
End users should configure their web browsers or Brocade Network Advisor to disable SSLv3
support when accessing Brocade SAN switch. In addition, place your Brocade SAN switch and
other data center critical infrastructure behind firewall to disallow access from the Internet to
minimize potential exposure to the attacks documented in this advisory.
Defect ID:
DEFECT000532851
Technical Severity:
High
Probability:
Low
Product:
FOS
Technology:
Security
Reported In Release:
FOS7.3.0
Technology Area:
Security Vulnerability
Symptom:
Security vulnerability CVE-2009-1895 makes it easier for local users to leverage the details of
memory usage.
Condition:
The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID
setting does not clear the security-relevant compatibility flags when executing a setuid or setgid by a
program, which makes it easier for local users to leverage the details of memory usage to (1) conduct
NULL pointer dereference attacks,(2)bypass the mmap_min_addr protection mechanism, or(3)defeat
address space layout randomization