IBM9477F483B73E5F2946F325D78F5FE86EAC57ED1E5A2E8E7DF0AD23DC6F86196ASecurity Bulletin: IBM Switches flood Fibre Channel-over-Ethernet (FCoE) data frame out of every port if destination address is not in MAC table (CVE-2013-0570)
2.9 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:M/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
40.3%
Abstract
IBM System Networking switches that are capable of Fibre Channel over Ethernet (FCoE) will flood FCoE data frames with unknown MAC addresses to all ports on the switch. Remediation for this vulnerability consists of updating the IBM Networking Operating System (NOS) running on these switches to a version for which IBM has created a fix.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0570
DESCRIPTION:
A potential vulnerability has been identified in the FCoE feature in IBM System Networking switches and legacy Blade Network Technology (BNT) switches running IBM Networking Operating System (NOS) (formerly known as BLADE Operating System). If a switch receives a frame with an unknown destination MAC address, it will flood the frame out on all interfaces on the same VLAN. While this behavior is standard for Ethernet, it is not within spec for Fibre Channel over Ethernet. This vulnerability is not remotely exploitable and requires physical or local access to the network. A successful exploit requires that the attacker be eavesdropping on the broadcast domain (i.e., the VLAN). An exploit should not impact integrity of transmitted data or system availability, but it can compromise the confidentiality of information, although the attacker would not have control over what can be accessed.
After 20 seconds, the FCF links will expire due to missing keep-alive responses, and hosts will stop sending packets to unknown destination MAC addresses. Therefore, this vulnerability is automatically limited to a 20-second time window without any additional user intervention.
Devices that are not capable of or configured to run FCoE are not affected by this vulnerability.
This vulnerability can be fixed by updating the version of NOS on the switch to a version for which IBM is providing a software fix, listed below.
CVSS Base Score: 2.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83166 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
This vulnerability affects all IBM System Networking switches that are capable of running FCoE, including those used in IBM Flex Systems and IBM BladeCenter products. This includes versions and releases that are no longer in support. The remediation section immediately below identifies affected switches still in support.
REMEDIATION:
IBM recommends updating the affected switches to the latest versions of IBM NOS for which IBM is providing a fix. Below is a list of devices and NOS versions with the fix:
| Device Name | IBM NOS Version(s) |
|---|---|
| IBM Flex System Fabric EN4093 10Gb Scalable Switch | 7.7.3.0, 7.5.5.0 |
| IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch | 7.7.3.0, 7.5.5.0 |
| IBM Flex System SI4093 Interconnect Module | 7.7.3.0 |
| IBM RackSwitch G8124/G8124-E/G8124-ER | 7.7.3.0, 7.6.3.0, 6.8.16.0 |
| IBM RackSwitch G8264 | 7.7.3.0, 7.6.6.0, 7.4.4.0, 6.8.10.0 |
| IBM RackSwitch G8264CS | 7.7.3.0, 7.1.3.0 |
| IBM RackSwitch G8264-T | 7.7.3.0, 7.6.3.10 |
| IBM RackSwitch G8316 | 7.7.3.0, 7.6.6.0 |
| IBM Virtual Fabric 10 Gb Ethernet Switch Module | 7.7.3.0, 7.6.2.0, 6.8.16.0 |
For unsupported releases, IBM recommends that customers upgrade to a version for which there is a fix.
WORKAROUND:
None.
MITIGATION:
Since the frames with unknown MAC addresses are only flooded onto interfaces sharing the same VLAN as the incoming packet, customers may also mitigate the problem by limiting the broadcast domain of the flooded frames by carefully defining VLANs on their switches and only allowing trusted nodes onto VLANs that may carry confidential data. However, if the FCoE VLAN’s port is also a member of another Ethernet VLAN, then it is possible that those Ethernet VLANs will receive the flooded frames as well. If the ports are separated distinctly by FCoE and Ethernet VLANs, then the issue can be avoided.
REFERENCES:
- Complete CVSS Guide (hyperlink to http://www.first.org/cvss/v2/guide )
- On-line Calculator V2 (link to http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 )
- _CVE-2013-0570 _
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/84112
RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog
CHANGE HISTORY:
<July 31, 2013>: Original Copy Published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Product”:{“code”:“SG9VJE”,“label”:“Data Center Ethernet-\u003EIBM RackSwitch G8264T”},“Business Unit”:{“code”:“BU054”,“label”:“Systems w/TPS”},“Component”:“–”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SGLV3H”,“label”:“Data Center Ethernet-\u003EIBM RackSwitch G8264-7309, 0446, 1455”},“Business Unit”:{“code”:“BU054”,“label”:“Systems w/TPS”},“Component”:" “,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:”“,“Line of Business”:{“code”:”“,“label”:”“}},{“Product”:{“code”:“SG9VCJ”,“label”:“Power System G Series Rackswitch”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:” “,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:”“,“Line of Business”:{“code”:“LOB08”,“label”:“Cognitive Systems”}},{“Product”:{“code”:“SGLUET”,“label”:“Data Center Ethernet-\u003EIBM RackSwitch G8316”},“Business Unit”:{“code”:“BU054”,“label”:“Systems w/TPS”},“Component”:” “,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:”“,“Line of Business”:{“code”:”“,“label”:”“}},{“Product”:{“code”:“SGLV7C”,“label”:“Data Center Ethernet-\u003EIBM RackSwitch G8124, 8124E - 7309, 0446, 1455”},“Business Unit”:{“code”:“BU054”,“label”:“Systems w/TPS”},“Component”:” “,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:”“,“Line of Business”:{“code”:”“,“label”:”"}}]
Affected configurations
Related
2.9 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:M/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
40.3%