Brocade admins: Check your privilege

You did kill that diagnostic account, yes? If not, naughty folks know how to kick it hard


Brocade is reminding users of some of its storage area networking (SAN) kit to shoot down default diagnostic accounts.

A note on Full Disclosure posted by Karn Ganeshen pointed out a swag of worrying things, such as the fact that diagnostic accounts built into Brocade kit come with default passwords set, and offer both telnet and SSH access.

The issue applies to Brocade Fabric OS v6.3.1b.

However, Brocade told The Register the issue's not regarded as a critical vulnerability, because the diagnostic accounts can be blocked or have strong passwords set.

“As part of basic Storage Area Networking (SAN) switch configuration, Brocade has documented procedures for customers to set up strong passwords for diagnostic accounts,” John Chesson, Brocade's director of corporate security incident response advised us.

“The regular switch management and administration framework makes use of pre-defined Fabric OS (FOS) commands and does not require access to diagnostic accounts or files. In addition, customers can disable the diagnostics accounts.

“We will continue to investigate and improve the security mechanisms including behaviours of default diagnostic accounts,” he concluded.

There are other details in the Full Disclosure post that users should check off, such as world-writable Unix files and users with excessive permissions and scripts that run as root, which attentive sysadmins will want to tick off. ®


Biting the hand that feeds IT © 1998–2021