Brocade Fibre Channel Networking Community

Expand all | Collapse all

Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

  • 1.  Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

    Posted 09-10-2013 08:56 PM

    Hi Experts,

    There're some security vulnerabilities on brocade switch running FOS 6.3.1a are detected by customer's anti-virus program:

    1. OpenSSH GSSAPI -- remote code execution

    2. OpenSSH sshd Privilege Separation Monitor - unknown vulnerability

    3. OpenSSH DoS

    4. OpenSSH X11 Cookie -- bypass local authentication

    All are defined as critical risk by this scanner program, it can be fixed ? Disable some services or upgrade FOS ?

    Thanks.

    Best Regards,

    simon


    #BrocadeFibreChannelNetworkingCommunity


  • 2.  Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

    Posted 09-11-2013 12:22 AM

    Hi Simon,

    I've never see in the past any such behavior, and neither BUG's nor Defect are known to me.

    what is the anti-virus Software used by your Customer ?


    #BrocadeFibreChannelNetworkingCommunity


  • 3.  Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

    Posted 09-11-2013 08:53 AM

    Hi Simon,

    Most likely the switch got scanned by a external (as in an appliance in the same network) vulnerability scanner like Nessus, but there are others.

    During the scan the switch(es) got marked because of vulnerabilities in SSH, a opensource component used by Brocade.

    On typical Unixes you could upgrade this individually.

    As it's build in the FOS release I would not do this but instead look into the following options.

    From preferred to less preffered (at least in my opinion)

    1-upgrading your firmware if possible.

    2-migrate management port to a shielded management vlan

    3-set up the switch ip filter to only accept a few IP addresses

    4-disable (or block with ipfilters) the ssh service, but this leaves you with even more insecure CLI management, namely telnet.

    option 1-2-3 can also be combined which would make the management interface increasingly more secure.


    #BrocadeFibreChannelNetworkingCommunity


  • 4.  Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

    Posted 09-18-2013 01:48 AM

    Thanks all replies.

    It should be caused by a lower version openSSH program used in FOS 6.3.1a, and FOS upgrade to 7.1x will update the program.

    Thanks.

    Best Regards,

    Simon


    #BrocadeFibreChannelNetworkingCommunity