Security Bulletin: IBM Switches flood Fibre Channel-over-Ethernet (FCoE) data frame out of every port if destination address is not in MAC table (CVE-2013-0570)

Summary

IBM System Networking switches that are capable of Fiber Channel over Ethernet (FCoE) will flood FCoE data frames with unknown MAC addresses to all ports on the switch. Remediation for this vulnerability consists of updating the IBM Networking OperatingSystem (NOS) running on these switches to a version for which IBM has created a fix.

Vulnerability Details

Abstract

IBM System Networking switches that are capable of Fibre Channel over Ethernet (FCoE) will flood FCoE data frames with unknown MAC addresses to all ports on the switch. Remediation for this vulnerability consists of updating the IBM Networking Operating System (NOS) running on these switches to a version for which IBM has created a fix.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-0570

DESCRIPTION:

A potential vulnerability has been identified in the FCoE feature in IBM System Networking switches and legacy Blade Network Technology (BNT) switches running IBM Networking Operating System (NOS) (formerly known as BLADE Operating System). If a switch receives a frame with an unknown destination MAC address, it will flood the frame out on all interfaces on the same VLAN. While this behavior is standard for Ethernet, it is not within spec for Fibre Channel over Ethernet. This vulnerability is not remotely exploitable and requires physical or local access to the network. A successful exploit requires that the attacker be eavesdropping on the broadcast domain (i.e., the VLAN). An exploit should not impact integrity of transmitted data or system availability, but it can compromise the confidentiality of information, although the attacker would not have control over what can be accessed.

After 20 seconds, the FCF links will expire due to missing keep-alive responses, and hosts will stop sending packets to unknown destination MAC addresses. Therefore, this vulnerability is automatically limited to a 20-second time window without any additional user intervention.

Devices that are not capable of or configured to run FCoE are not affected by this vulnerability.

This vulnerability can be fixed by updating the version of NOS on the switch to a version for which IBM is providing a software fix, listed below.

IBM CVSS SCORE: 2.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83166 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:

This vulnerability affects all IBM System Networking switches that are capable of running FCoE, including those used in IBM Flex Systems and IBM BladeCenter products. This includes versions and releases that are no longer in support. The remediation section immediately below identifies affected switches still in support.

REMEDIATION:

IBM recommends updating affected IBM Ethernet switches to the latest versions of IBM NOS for which IBM is providing a fix. Below is a list of devices and NOS versions with the fix:

For unsupported releases, IBM recommends that customers upgrade to a version for which there is a fix.

WORKAROUND:

None.

MITIGATION:

Since the frames with unknown MAC addresses are only flooded onto interfaces sharing the same VLAN as the incoming packet, customers may also mitigate the problem by limiting the broadcast domain of the flooded frames by carefully defining VLANs on their switches and only allowing trusted nodes onto VLANs that may carry confidential data. However, if the FCoE VLAN’s port is also a member of another Ethernet VLAN, then it is possible that those Ethernet VLANs will receive the flooded frames as well. If the ports are separated distinctly by FCoE and Ethernet VLANs, then the issue can be avoided.

REFERENCES:

• Complete CVSS Guide (hyperlink to http://www.first.org/cvss/cvss-guide.html )
• On-line Calculator V2 (link to http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
• CVE-2013-0570
• X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/84112

RELATED INFORMATION: --> _ IBM Secure Engineering Web Portal_
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT: The vulnerability was reported to IBM by Dr. Gabi Nakibly. CHANGE HISTORY: <July 31, 2013>: Original Copy Published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.