search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Brocade BigIron RX switch ACL bypass vulnerability

Vulnerability Note VU#853246

Original Release Date: 2011-07-13 | Last Revised: 2012-02-03

Overview

Brocade BigIron RX switch devices are susceptible to an access control list (ACL) bypass vulnerability by sending packets with the source port 179.

Description

Brocade BigIron RX switch devices do not properly restricted packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. It has been reported that individual packets with a source port of 179 are allowed through, as well as, full SSH and RDP sessions.

Impact

A remote unauthenticated attacker can bypass any ACL rule on a BigIron RX switch device.

Solution

Apply an Update

Brocade has created software defect 355173 for this issue.  The following patch releases address this vulnerability; RX 2.8.00a, 2.7.03b, and 2.7.02l. Customers should contact Brocade support to download these updates.

Workaround


Do not depend on BigIron RX switch devices to provide restricted access to any network infrastructure. Use a separate trusted firewall device to restrict access.

Vendor Information

853246
 
Affected   Unknown   Unaffected

Brocade

Notified:  June 06, 2011 Updated:  July 25, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Technical Support Bulletin

July 21, 2011

TSB
2011-118-A                                                                  
SEVERITY:  High – Operational

PRODUCTS AFFECTED:

BigIron RX running all releases.

CORRECTED IN RELEASE:

Will be fixed in RX 2.7.02l, 2.7.03b, and 2.8.00a releases.

Bulletin Overview

BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246

Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that have a direct, entitled, support relationship in place with Brocade.

Please contact your primary service provider for further information regarding this topic and applicability for your environment.

Problem Statement

BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246

The BigIron RX is using internal ACLs to set the priority of BGP traffic that is received on an interface.  This priority is given to traffic sent or received by a peer.  This priority is used internally in the RX when packets
are forwarded both through the switch and to the control CPU.  This is done to prefer BGP control traffic over other non-control traffic.

ACLs are processed using a CAM (Content Addressable Memory) in the RX.  A CAM works by comparing entries sequentially.  The internal ACL is located in the first area of the CAM before user ACLs.  So when a user ACL to deny BGP traffic is added it does not get used because the internal ACL is processed first.

Risk assessment

Some unwanted TCP packets may be forwarded by the BigIron RX.  This could present a security violation for the customer.

Symptoms

ACLs added by the customer to restrict certain types of TCP traffic from being forwarded by the BigIron RX may not work.  For example, if a customer added an ACL to drop all BGP traffic on an interface, it will not work.

Workaround

No workaround.

Corrective Action

Software defect 355173 has been created for this issue.  This fix will be available in the following patch releases; RX 2.8.00a, 2.7.03b, and 2.7.02l.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Bashar Ewaida for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-4884
Severity Metric: 0.28
Date Public: 2011-07-13
Date First Published: 2011-07-13
Date Last Updated: 2012-02-03 21:02 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.