A major security flaw, tracked as CVE-2024-29953, was found in certain versions of Brocade Fabric OS—the system running on Brocade Fibre Channel switches. If you are running Fabric OS before v9.2.1, v9.2.b, or v9.1.1d, you need to pay attention: your system could be exposing sensitive session-encoded passwords to any authenticated user.
In this post, we’ll break down what this vulnerability means, how attackers could use it, show you simple code to demonstrate the issue, and provide links for further reference, all in clear and easy language.
What is CVE-2024-29953?
CVE-2024-29953 exists because the web interface in affected versions of Brocade Fabric OS stores encoded session passwords in the session storage for Virtual Fabric platforms. The flaw allows any authenticated user (after they log in) to retrieve their own (and potentially other users’) encoded session passwords from local storage—essentially leaking sensitive session secrets.
Why is This a Problem?
An attacker with a valid account can log in, open their browser developer tools, and see encoded session passwords. While these are not plain text, they are often just base64-encoded or weakly obfuscated. Worse, with some manipulation, it may be possible to recover or reuse session credentials to hijack sessions or escalate privileges, depending on how the session management is implemented.
Step-by-Step Walkthrough
Step 1: Login to the Brocade Fabric OS web interface as a normal user.
Step 2: Open the browser developer tools (press F12 or Ctrl+Shift+I in most browsers).
Step 3: Go to the “Application” or “Storage” tab, then find Session Storage or Local Storage.
Step 4: Look for entries that mention “password”, “session”, or similar names.
Here’s a simple JavaScript code snippet a user could run in the console to find any passwords stored in session storage:
// List all session storage keys/values that contain the word "password"
Object.keys(sessionStorage).forEach(function(key) {
if (key.toLowerCase().includes('password')) {
console.log('Found:', key, '=', sessionStorage.getItem(key));
}
});
If encoded passwords are found, a malicious user can copy them and (depending on the encoding or encryption used) attempt to decode or reuse as part of further attacks.
Suppose session passwords are just base64-encoded (common for weak session handling)
let encoded = "YWRtaW46cGFzc3dvcmQ="; // Example value from session storage
let decoded = atob(encoded);
console.log('Decoded password:', decoded); // Prints something like: admin:password
Decodes or extracts it.
4. Tries to reuse this password to hijack or escalate another user's session/wizard.
The specifics will depend on how Brocade manages these sessions, but the mere presence of encoded secrets in an accessible storage location is enough for a successful attack within the same or shared environment.
How to Fix
Update!
Upgrade to v9.2.1, v9.2.b, or v9.1.1d (or later) as soon as possible.
Best Practice:
Never store sensitive information in browser-accessible storage (session storage, local storage, etc). Always use secure cookies (HttpOnly, Secure flags).
Brocade Security Advisory:
https://www.broadcom.com/support/resources/security-advisories/227353
CVE Details:
https://nvd.nist.gov/vuln/detail/CVE-2024-29953
Summary
CVE-2024-29953 is a critical but easy-to-exploit weakness in older Brocade Fabric OS web interfaces. If you manage a network using these switches, upgrade immediately! The flaw lets any authenticated user see encoded session passwords—opening the door to privilege escalation, session hijacking, and compromise of your sensitive infrastructure.
Stay safe and patch quickly.
*This is exclusive and plain-language info to help sysadmins and security folks respond to the latest threats. If your Brocade switches are still running vulnerable versions, act now!*
Timeline
Published on: 06/26/2024 00:15:10 UTC
Last modified on: 06/26/2024 12:44:29 UTC