It is no secret that many vendors use open source software in their products and solutions. One of the most ubiquitous is Linux which is often the base of many of these products and used as core-OS because of it’s flexibility and freely available status without the need of keeping track of licenses (to some extent) and costs.
These OSS tools have different development back-grounds and are subject to policies of the person (or people/companies) who develop it. This obviously results in the fact that defects or bugs may result in security issues especially when it involves network related applications. Recently the bugs in OpenSSL and Apache have gain much traction as some of these are fairly significant and can result in access breaches or denial of service.
When these tools are used in firmware, like Brocade FOS or Cisco NX-OS, the access to company data might not be applicable as these tools are simply used for operational switch/fabric management and not have direct access to your creditcard details. What they do however have deep access to is the storage infrastructure side. This means that if an outside attacker can access these switches it is very easy for them which just a few commands to significantly disrupt your entire datacentre environment. A simple “switchdisable” or “shutdown” command if accessed with the correct credentials basically disconnects your storage from your servers and your applications are down…. ALL OF THEM depending if they require their data to be retrieved from those array’s of course.
Now, one thing you don’t do is hook up this kind of equipment to the internet. Accessibility should only be enabled via dedicated management LAN’s to which only a certain group of people have access to. This will not protect you from people inside your own organisation who want to do harm in any form or method and so may seek to exploit your environment or even people from outside your organisation who may have obtained access due to lack of security discipline. (Installed mall-ware, security breaches of your employees lap-tops etc…)
These scenario’s have occurred in the past and will happen in the future. The way you need to protect yourself from this is to be prepared and take counter-measures.
As mentioned the 3rd party tools used by vendors sometimes show vulnerabilities that can be exploited by external parties. These tools are always bundled with the overall firmware-packages that are published on a regular basis. These firmware packages thus do not only provide the solved bugs and defects in the code from that particular vendor but also updated packages from these 3rd party suppliers.There is no (supported) way of upgrading these packages individually and, if you want to try, will render you in an unsupported configuration and any OEM plus the manufacturer will no longer provide support-services.
The reason these packages are bundled is due to a multitude of reasons. First off, distribution is controlled which implies that if a certain firmware release is used all parties know what the individual packages of each release are. Secondly some adjustments to these individual packages may have been made to configuration setting and even the code itself in order to be optimised for the specific platform or usage. You therefore cannot use a generic revision from the original developer as this may also land you in an incompatible and unsupported situation.
Both Brocade and Cisco publish which tool and revision they use for each of the product they develop and sell. From Network Advisor and Fabric Manager to the core NOS/FOS and NX-OS operating system plus the versions accompanied wit each of their products.
Brocade publishes their list over here and Cisco’s can be found with each NX-OS product release as a separate document. (Look for License and Copyright Information for Cisco Nexus NX-OS Software, Release X.Y.Z….)
None of the support-organisations with any of the OEM’s can help you with vulnerability issues. The first thing you need to do is to make sure you run the latest OEM supported firmware/software version that has been provided. If you have a maintenance contract (or if the equipment is still under warranty) these will be provided to you free of charge. If a brand new vulnerability has been published by NIST (or another party) and has not yet been incorporated in any of the published packages in thoses firmware-releases you will need to highlight that to your sales-engineer who then has to contact the manufacturer to get this on the radar as an RFI (request for Improvement). This will then allow product management to make decisions on which release of this 3rd party tool to use as there may be more implications than just this vulnerability. Rest assure that most of them as keen as you in resolving these kind of security bugs so as soon as the problem is fixed by the original developer of the respective software you will see it pop up fairly quickly in a new release.
Once more, prevention of security breaches is fought on multiple fronts. The first line of defence is you. Making sure that systems can be accessed by authorised people via multiple layers of authentication makes is all the more difficult for wrong-doers to have a negative effect on your operations. Maintaining firmware revisions is not a re-active excersize, it should be part of of a very regular routine to check and upgrade this in the same way you would manage your servers operating systems and applications.