In early 2024, a critical security vulnerability was discovered in Brocade Fabric OS, affecting several of the widely used versions in enterprise SAN environments. This vulnerability, CVE-2024-29954, is caused by improper logging in the product’s firmware download process. As a result, sensitive information — including the *server passwords* for protocols like SCP/SFTP — could be unintentionally captured in system logs and later accessed by authenticated users. Below, we break down the vulnerability, dangerous scenarios, exploitation paths, code behavior, and mitigation steps, as well as references for further reading.
Check your Fabric OS version by running
firmwareshow
The Root Cause
The firmware download feature allows administrators to upgrade or install firmware on Brocade switches. You typically use the firmwaredownload command like so:
firmwaredownload -sftp -p password -host 10.10.10.10 -user fwadmin
However, if the command is *entered incorrectly* (e.g., wrong password, wrong host, or malformed file path), the entire command—including the password—is output to log files. Here’s how it happens:
An error occurs (e.g., destination not accessible, file not found).
3. Brocade logs the *full* attempted command, including any provided passwords, to an insecure log file.
Example Log Entry
[2024-04-25 11:37:20] ERROR: firmwaredownload -sftp -p SuperSecretPassword -host 10.10.10.10 -user fwadmin failed: Invalid file
Why Is This Bad?
Any user with log viewing privileges — not just top-level admin — can grep about for the password in the logs. Even though only authenticated users can read logs, in environments with multiple admins or a shared helpdesk account, this is a serious security risk.
Exploitation Example
Suppose you (or a previous admin) ran into a typo and now the sensitive credentials are somewhere under /var/log (commonly /var/log/messages or a Brocade-specific firmwaredownload.log).
A curious or malicious insider might do
grep 'firmwaredownload' /var/log/firmwaredownload.log
or
cat /var/log/firmwaredownload.log | grep -i 'password'
and see something like
firmwaredownload -sftp -p HuntersPass123 -host 10.10.10.22 -user root failed: Authentication error.
Whoever finds this line now has valid credentials (possibly still good on your SCP/SFTP server)!
Let’s look at a simplified code snippet representing what was likely happening internally
def firmwaredownload(args):
try:
# attempts firmware download
download_firmware(args)
except Exception as e:
# BAD: logs the full command, revealing the password as part of args
log.error(f"firmwaredownload {args} failed: {str(e)}")
A safer way would mask the password
def mask_password(args):
# Find -p <password> and replace <password> with ***
return re.sub(r'(-p\s+)\S+', r'\1', args)
def firmwaredownload(args):
try:
download_firmware(args)
except Exception as e:
safe_args = mask_password(args)
log.error(f"firmwaredownload {safe_args} failed: {str(e)}")
Real-World Risks
- Lateral Movement: Attackers or rogue admins could use exposed credentials for further access across connected storage, backup, or management systems.
- Persistence: Even after password changes, old logs could retain valid credentials if servers keep default passwords or rotate infrequently.
- Regulatory/Compliance Breaches: Exposing live passwords in logs may violate regulatory standards like PCI, HIPAA, or GDPR.
Mitigation
Patch Immediately:
8.2.3e
Cleanup Existing Logs:
After patching, sanitize old logs
# Search for and clean log entries (risky: always backup first!)
sed -i '/firmwaredownload.*-p [^ ]*/s/-p [^ ]*/-p /g' /var/log/firmwaredownload.log
or rotate/delete log files if feasible and allowed by your audit policy.
Restrict Log Access:
Minimize the user base who can view logs. Remove any legacy or unnecessary local user accounts.
References
- NVD: CVE-2024-29954
- Brocade Fabric OS Downloads & Docs
- Broadcom Security Advisory SA2099
Limit log access and sanitize old history after known security flaws.
Stay safe, and keep your Brocade SANs tidy and up-to-date!
Timeline
Published on: 06/26/2024 00:15:10 UTC
Last modified on: 08/02/2024 01:17:58 UTC