CVE-2022-28170 is a security vulnerability discovered in several versions of Brocade Fabric OS — a widely used system in datacenter management for storage area networks (SAN). This vulnerability allowed server and user passwords to be stored in plain text inside debug log files.
Here, we break down what the vulnerability is about, who’s at risk, how it can be exploited, and steps you can take to secure your systems. We’ll also see some code snippets and direct references to help you understand the real impact.
What is Brocade Fabric OS?
Before diving into the vulnerability, let's talk briefly about Brocade Fabric OS. It powers Fibre Channel switches — think of backbone devices in enterprise storage networks. They help manage data storage and transfer securely between servers and data pools.
Summary Table
| CVE ID | CVE-2022-28170 |
|----------------|-------------------------------------------------------------|
| Product | Brocade Fabric OS Web Application Services |
| Affected Ver. | Before v9.1., v9..1e, v8.2.3c, v7.4.2j |
| Type | Information Disclosure (Password exposure in debug logs) |
| Severity | Medium |
| Attack Vector | Local (requires access to debug files) |
What Happened?
In affected Brocade Fabric OS versions, both server and user passwords are written directly into debug statements without masking or obfuscation. That means if any process enables debug logging, those passwords end up in debug log files in readable format.
Anyone with access (even limited local users) to these log files can simply open them and see sensitive passwords.
Code Snippet (Pseudo-code Based on Reported Behavior)
// This is not actual Brocade code but an example of what might be happening
char *user = get_user(); // e.g., "admin"
char *pass = get_pass(); // e.g., "Pa$$wrd!"
// Bad: Logging sensitive data directly
log_debug("Login attempt by %s with password %s", user, pass);
// These logs are written to diagnostics/debug log files:
A real debug log line might look like
[DEBUG] 2022-03-28 12:34:56 Login attempt by admin with password Pa$$wrd!
Anyone who enabled debug mode or saved debug files
- Situations where users (admins, engineers, techs) have local shell access to the switch or exported its logs for support/diagnostics
Steps for an Attacker
1. Gain Local Access: The attacker gets access to the system (e.g., as a support tech or by exploiting another local vulnerability).
2. Locate Debug Logs: Look for log files, commonly under /var/log/ or equivalent custom locations, e.g., /support/save or /fabric/logs/.
Example Command
# Search for lines containing passwords in log files
grep -i "password" /var/log/debug.log
Output
Login attempt by admin with password Pa$$wrd!
Severity & Impact
While this vulnerability does *not* allow remote code execution or privilege escalation by itself, it’s particularly dangerous in shared administrative environments or when organizations share logs with vendors for technical support.
Patches and Fixes
Brocade released updates to prevent this issue by removing sensitive password information from debug log output.
Brocade Fabric OS version 7.4.2j
Recommendation:
Upgrade immediately to at least the patched versions mentioned above. Also, review all debug logs generated before the patch for accidental disclosure.
References
- NIST CVE Entry – CVE-2022-28170
- Broadcom Security Advisory BRKOPS-2022-123
- SecurityLab Analysis (Russian)
- Brocade Fabric OS Downloads
Conclusion
CVE-2022-28170 is a stark reminder of how even simple logging mistakes can lead to major security breakdowns. Always be vigilant about what gets logged and who can access those logs. Apply vendor patches as soon as they come out, and regularly review your internal policies for log handling.
Stay safe, and always check what’s hiding in your logs.
*Post written exclusively for this request. Please reference links for original advisories and patch notes.*
Timeline
Published on: 10/25/2022 21:15:00 UTC
Last modified on: 03/02/2023 16:06:00 UTC