Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 7
Registered: ‎06-24-2011

Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

Hi Experts,

There're some security vulnerabilities on brocade switch running FOS 6.3.1a are detected by customer's anti-virus program:

1. OpenSSH GSSAPI -- remote code execution

2. OpenSSH sshd Privilege Separation Monitor - unknown vulnerability

3. OpenSSH DoS

4. OpenSSH X11 Cookie -- bypass local authentication

All are defined as critical risk by this scanner program, it can be fixed ? Disable some services or upgrade FOS ?

Thanks.

Best Regards,

simon

External Moderator
Posts: 4,985
Registered: ‎02-23-2004

Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

Hi Simon,

I've never see in the past any such behavior, and neither BUG's nor Defect are known to me.

what is the anti-virus Software used by your Customer ?

TechHelp24
Valued Contributor
Posts: 931
Registered: ‎12-30-2009

Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

Hi Simon,

Most likely the switch got scanned by a external (as in an appliance in the same network) vulnerability scanner like Nessus, but there are others.

During the scan the switch(es) got marked because of vulnerabilities in SSH, a opensource component used by Brocade.

On typical Unixes you could upgrade this individually.

As it's build in the FOS release I would not do this but instead look into the following options.

From preferred to less preffered (at least in my opinion)

1-upgrading your firmware if possible.

2-migrate management port to a shielded management vlan

3-set up the switch ip filter to only accept a few IP addresses

4-disable (or block with ipfilters) the ssh service, but this leaves you with even more insecure CLI management, namely telnet.

option 1-2-3 can also be combined which would make the management interface increasingly more secure.

Occasional Contributor
Posts: 7
Registered: ‎06-24-2011

Re: Anti-virus program detects some security vulnerabilities on switch with FOS 6.3.1a

Thanks all replies.

It should be caused by a lower version openSSH program used in FOS 6.3.1a, and FOS upgrade to 7.1x will update the program.

Thanks.

Best Regards,

Simon

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook