CVE-2018-6443
published 2019-01-22CVE-2018-6443: A vulnerability in Brocade Network Advisor Versions before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration…
PriorityP268high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.40%
93.7th percentile
A vulnerability in Brocade Network Advisor Versions before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications. A remote unauthenticated user who has access to Network Advisor client libraries and able to decrypt the Jboss credentials could gain access to the Jboss web console.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brocade | network_advisor | < 14.3.1 | 14.3.1 |
| brocade_communications_systems_inc | brocade_network_advisor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor JBoss JMX interface for authentication attempts using hardcoded/undocumented credentials, particularly connections that subsequently register MBeans with names starting with 'BNASupport' or 'BNASecurity'. ↗
- →Detect MLet class registration (javax.management.loading.MLet) followed by a getMBeansFromURL invocation, which is the mechanism used to load the malicious JAR (compr.jar) from an attacker-controlled HTTP server. ↗
- →Alert on JMX MBean registration of object names beginning with 'BNASupport' or 'BNASecurity', as these are attacker-defined names used to persist the malicious MBean during exploitation. ↗
- →Detect outbound HTTP requests from the Brocade Network Advisor JBoss process to external hosts serving '/mlet/' paths, which indicates the MLet remote class-loading attack vector is in use. ↗
- →Look for the JMX port being retrieved from the JNLP client libraries via the parameter 'jnlp.dcm.dcm.jmxport', which the exploit uses to discover the JMX service port dynamically. ↗
- →Unauthenticated remote attackers can access the JBoss Administration interface; monitor for unauthenticated logins or access to the JBoss web console from external IPs on Brocade Network Advisor systems prior to version 14.3.1. ↗
- ·The JMX port is not static; the exploit dynamically retrieves it from the JNLP client library parameter 'jnlp.dcm.dcm.jmxport'. Detection rules based on a fixed port may miss exploitation if the port varies across deployments. ↗
- ·The exploit targets Brocade Network Advisor 14.X.X, EMC Connectrix Manager Converged Network Edition 14.4.1, and potentially IBM Network Advisor — detection and patching scope should cover all three product lines. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153035/Brocade-Network-Advisor-14.4.1-Unauthenticated-Remote-Code-Execution.htmlhttps://security.netapp.com/advisory/ntap-20190411-0005/https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2018-743http://packetstormsecurity.com/files/153035/Brocade-Network-Advisor-14.4.1-Unauthenticated-Remote-Code-Execution.htmlhttps://security.netapp.com/advisory/ntap-20190411-0005/https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2018-743
2019-01-22
Published