Operational Defect Database
BugZero found this defect 2355 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00038202en_us
Advisory: HPE StoreFabric B-series Switches - Account Passwords May Be Reset to Factory Default Following a Firmware Upgrade From FOS v7.3.x or Earlier or to FOS v7.4.2, v 8.0.1 or Later
Last update date:
2/28/2024
Affected products:
HPE ConvergedSystem 700 for Virtualization Components and Blocks
HPE ConvergedSystem 700x (CS700x)
HPE 1606 Extension SAN Switch
HPE 8/24 SAN Switch
HPE 8/40 SAN Switch
HPE 8/8 SAN Switch
HPE 8/80 SAN Switch
HPE B-series SN6000B Fibre Channel Switch
HPE B-series SN6500B Fibre Channel Switch
HPE SN3000B Fibre Channel Switch
HPE Storage SAN Director Switch
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
If the default account (root, admin or user) passwords were changed by the administrator in Fabric OS (FOS) versions earlier than v7.3.x, and the switch was then upgraded all the way to FOS v7.4.2, v8.0.1, or later, the passwords for these accounts may be reset to the factory default value. This issue does not exist if one of the default passwords was changed while the switch was running FOS v7.3.0 or later and then upgraded.
Scope
This issue affects default account passwords changed on FOS v7.2x or earlier on the following affected platforms: HPE StoreFabric SAN Backbone Director Switch HPE DC04 SAN Director Switch HPE SN8000B 4-slot SAN Director Switch HPE SN8000B 8-slot Power Pack+ SAN Backbone Director Switch, HPE 1606 Extension SAN Switch HPE 8/80 SAN Switch HPE 8/40 SAN Switch HPE 8/24 SAN Switch HPE 8/8 SAN Switch HPE SN3000B Fibre Channel Switch HPE SN6000B Fibre Channel Switch HPE StoreFabric SN6500B Fibre Channel Switch Administrator-created user accounts, Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), or Terminal Access Controller Access Control System (TACACS) are not impacted. Default passwords that were changed on FOS v7.3x or later are not impacted.
Resolution
IMPORTANT This issue has only been seen on a small number of upgrades, but it may pose a security vulnerability if not addressed immediately. If this issue does occur during the upgrade, you will not be able to log into the switch with the administrator-defined password for the root, admin, or user account. You will need to use the well-known default password for these accounts to access the switch. Once the switch is upgraded to FOS v7.4.2, v8.0.1 or later, it will not be affected by this issue. WORKAROUND Before upgrading to FOS v7.4.2, v8.0.1 or later, administrators are advised to perform one of the following workarounds while the switch is running FOS v7.3.x, v7.4.0x or v7.4.1x, to prevent the reset of default account passwords on impacted switches. Create a new user account before performing the firmware download. Or Change one of the default account passwords before performing the firmware download. To recover from a default account password reset after a switch has been upgraded to FOS v7.4.2, v8.0.1 or later, administrators must change all default account passwords. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.
