Fabric OS Vulnerability Allows for Password Capture in Firmware Downloads
CVE-2024-10403

7.5HIGH

Key Information:

Vendor: Brocade
Status: Fabric Os
Vendor: CVE Published:; 21 November 2024

What is CVE-2024-10403?

A vulnerability in certain versions of Brocade Fabric OS allows the SFTP/FTP server password used during firmware download operations to be captured. This occurs when the operation is initiated by the SANnav management interface or through WebEM, and is then recorded in a core dump. Such core dumps can be collected via the supportsave feature, posing risks to the confidentiality of sensitive credentials. This vulnerability highlights critical risks associated with improper handling of server passwords, particularly in a storage area network environment.

Affected Version(s)

Fabric OS Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2024
Vulnerability Reserved
Oct 25, 2024