A Vulnerability in Broadcom Brocade Fabric OS Could Allow for Arbitrary Code Execution

A vulnerability has been discovered in Broadcom Brocade Fabric OS that could allow for arbitrary code execution. Broadcom Brocade Fabric OS is the storage area networking firmware for Brocade Communications Systems’ Fibre Channel switch and Fibre Channel directors. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user or obtain root level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are currently no reports of this vulnerability being exploited in the wild.

A vulnerability has been discovered in Broadcom Brocade Fabric OS that could allow for arbitrary code execution. Details of this vulnerability is as follows:

Tactic: Privilege Escalation (TA0029):
Technique: Exploit OS Vulnerability (T1404):

• A remote code execution vulnerability in Broadcom Brocade Fabric OS could allow for malicious code execution. This vulnerability could allow a remote unauthenticated attacker to gain root access to the switch. (CVE-2023-3454)

Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user or obtain root level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

We recommend the following actions be taken:

• Apply appropriate updates provided for Brocade Fabric OS. (M1051: Update Software, M1042: Disable or Remove Feature or Program)
  o Safeguard 4.8: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
  o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

• Conduct vulnerability scanning to find potentially exploitable software vulnerabilities (M1016: Vulnerability Scanning)
  o Safeguard 16.1 : Establish and Maintain a Secure Application Development Process: Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  o Safeguard 16.2 : Establish and Maintain a Process to Accept and Address Software Vulnerabilities: Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.
  o Safeguard 16.3 : Perform Root Cause Analysis on Security Vulnerabilities: Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code and allows development teams to move beyond just fixing individual vulnerabilities as they arise.
  o Safeguard 16.4 : Establish and Manage an Inventory of Third-Party Software Components: Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported.