IBM Support

Security Bulletin: IBM Switches flood Fibre Channel-over-Ethernet (FCoE) data frame out of every port if destination address is not in MAC table (CVE-2013-0570)

Flashes (Alerts)


Abstract

IBM System Networking switches that are capable of Fibre Channel over Ethernet (FCoE) will flood FCoE data frames with unknown MAC addresses to all ports on the switch. Remediation for this vulnerability consists of updating the IBM Networking Operating System (NOS) running on these switches to a version for which IBM has created a fix.

Content

VULNERABILITY DETAILS:


    CVE ID: CVE-2013-0570

    DESCRIPTION:

    A potential vulnerability has been identified in the FCoE feature in IBM System Networking switches and legacy Blade Network Technology (BNT) switches running IBM Networking Operating System (NOS) (formerly known as BLADE Operating System). If a switch receives a frame with an unknown destination MAC address, it will flood the frame out on all interfaces on the same VLAN. While this behavior is standard for Ethernet, it is not within spec for Fibre Channel over Ethernet. This vulnerability is not remotely exploitable and requires physical or local access to the network. A successful exploit requires that the attacker be eavesdropping on the broadcast domain (i.e., the VLAN). An exploit should not impact integrity of transmitted data or system availability, but it can compromise the confidentiality of information, although the attacker would not have control over what can be accessed.

    After 20 seconds, the FCF links will expire due to missing keep-alive responses, and hosts will stop sending packets to unknown destination MAC addresses. Therefore, this vulnerability is automatically limited to a 20-second time window without any additional user intervention.

    Devices that are not capable of or configured to run FCoE are not affected by this vulnerability.

    This vulnerability can be fixed by updating the version of NOS on the switch to a version for which IBM is providing a software fix, listed below.

    CVSS Base Score: 2.9


    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83166 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N)

    AFFECTED PRODUCTS AND VERSIONS:

    This vulnerability affects all IBM System Networking switches that are capable of running FCoE, including those used in IBM Flex Systems and IBM BladeCenter products. This includes versions and releases that are no longer in support. The remediation section immediately below identifies affected switches still in support.

    REMEDIATION:

    IBM recommends updating the affected switches to the latest versions of IBM NOS for which IBM is providing a fix. Below is a list of devices and NOS versions with the fix:

    Device NameIBM NOS Version(s)
    IBM Flex System Fabric EN4093 10Gb Scalable Switch7.7.3.0, 7.5.5.0
    IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch7.7.3.0, 7.5.5.0
    IBM Flex System SI4093 Interconnect Module7.7.3.0
    IBM RackSwitch G8124/G8124-E/G8124-ER7.7.3.0, 7.6.3.0, 6.8.16.0
    IBM RackSwitch G82647.7.3.0, 7.6.6.0, 7.4.4.0, 6.8.10.0
    IBM RackSwitch G8264CS7.7.3.0, 7.1.3.0
    IBM RackSwitch G8264-T7.7.3.0, 7.6.3.10
    IBM RackSwitch G83167.7.3.0, 7.6.6.0
    IBM Virtual Fabric 10 Gb Ethernet Switch Module7.7.3.0, 7.6.2.0, 6.8.16.0

    For unsupported releases, IBM recommends that customers upgrade to a version for which there is a fix.

    WORKAROUND:

    None.

    MITIGATION:

    Since the frames with unknown MAC addresses are only flooded onto interfaces sharing the same VLAN as the incoming packet, customers may also mitigate the problem by limiting the broadcast domain of the flooded frames by carefully defining VLANs on their switches and only allowing trusted nodes onto VLANs that may carry confidential data. However, if the FCoE VLAN's port is also a member of another Ethernet VLAN, then it is possible that those Ethernet VLANs will receive the flooded frames as well. If the ports are separated distinctly by FCoE and Ethernet VLANs, then the issue can be avoided.


REFERENCES:
RELATED INFORMATION:
CHANGE HISTORY:

    <July 31, 2013>: Original Copy Published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SG9VJE","label":"Data Center Ethernet-\u003EIBM RackSwitch G8264T"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SGLV3H","label":"Data Center Ethernet-\u003EIBM RackSwitch G8264-7309, 0446, 1455"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SG9VCJ","label":"Power System G Series Rackswitch"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Product":{"code":"SGLUET","label":"Data Center Ethernet-\u003EIBM RackSwitch G8316"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SGLV7C","label":"Data Center Ethernet-\u003EIBM RackSwitch G8124, 8124E - 7309, 0446, 1455"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
26 September 2022

UID

isg3T1019715

Page Feedback