Earlier today, an anonymous reader left a comment on Saturday’s Public ICS Disclosure post. The reader questioned my note that the Broadcom advisory contained “vulnerabilities that is listed in the CISA Known Exploited Vulnerabilities Catalog in multiple”. The reader noted that the advisory “states that "No Brocade Fibre Channel Products from Broadcom Products are known to be affected by this vulnerability." so it also unlikely to be in the CISA KEV list.”
First, the advisory reports that Brocade Fabric OS, Brocade SANnav, and Brocade Support Link products are affected by the vulnerability; the ‘Brocade Fibre Channel’ note is confusing a lot of people. Second, the vulnerability (CVE-2023-4911) is a third-party vulnerability, found in the GNU C Library. As shown below (a clip from the NVD.NIST.gov site for the vulnerability), that vulnerability is listed in CISA’s Known Exploited Vulnerabilities Catalog.
We are starting to see a number of these KEV vulnerabilities being reported as third-party vulnerabilities. How vulnerable these new products are to the KEV depends a great deal on how the original program is utilized and implemented in the new product. Even where the product is susceptible to the vulnerability, existing exploits will need to be revised in most cases to work.
No comments:
Post a Comment