Privileged Directory Traversal in Brocade Fabric OS
Brocade: CVE-2021-27798: Fabric OS (Multiple Versions)
Brocade Fabric operating system (OS) is used for monitoring physical, protocol, and application layer data points of a storage area network (SAN) in real time. Black Lantern Security (BLS) identified a vulnerability that allows any authenticated user to bypass restricted shell (
rbash) limitations and list the entire file structure of the affected device. This includes all binaries available to the user. When this vulnerability is combined with the two previously disclosed vulnerabilities (CVE-2021-27796, CVE-2021-27797) affecting the same software versions, an attacker can authenticate using weak default credentials, list all files, and read all files on the system.
CVE-2021-27798 - Authenticated Privileged Directory Traversal
Brocade Fabric OS
<7.4.1d was discovered to have an authenticated privileged directory traversal vulnerability. Utilizing CVE-2021-27797, an authenticated attacker has the ability to list all directory contents on the system. This can be achieved with the
more binary and tab-completion.
Brocade SIRT was notified of this vulnerability and has since issued the following solution:
Brocade recommends Customers run supported Brocade software versions.