Brocade SANnav Management Software Vulnerabilities Allow Device Compromise

April 29, 2024

Multiple vulnerabilities have been identified in Brocade's SANnav storage area network (SAN) management application, posing a potential threat to affected devices. These vulnerabilities are present in all versions up to and including 2.3.0. The most significant of these is an insecure SSH configuration, identified as CVE-2024-2859, which has a CVSS score of 8.8. This vulnerability could be exploited by an unauthenticated, remote attacker to log into a vulnerable device using the root account and execute arbitrary commands.

Another major vulnerability is related to the presence of hardcoded Docker keys, identified as CVE-2024-29963, with a CVSS score of 8.6. This issue affects Brocade SANnav OVA versions prior to v2.3.1 and v2.3.0a. These versions contain hardcoded TLS keys used by Docker. However, according to an advisory published by Broadcom, the risk associated with this vulnerability is minimal as SANnav does not have access to remote Docker registries and is prevented from communicating with Docker registries.

These vulnerabilities were initially discovered by security researcher Pierre Barre and reported to Brocade through Dell in September 2022. However, Brocade initially rejected the report because it did not address the latest version of SANnav. “The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.

Barre was able to access the latest version of SANnav in May 2023 and confirmed that the previously rejected vulnerabilities were still present in version 2.2.2. Additionally, he discovered three additional 0-day vulnerabilities. After re-submitting his report, Brocade acknowledged the vulnerabilities in May 2023. The company released patches for these issues in April 2024, 19 months after the initial rejection and 11 months after acknowledging the vulnerabilities.

These vulnerabilities could allow an attacker to compromise a SANNav appliance and, subsequently, Fibre Channel switches. “An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”

Latest News

• Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks
• Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability
• CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog
• North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
• Critical Vulnerability in Over 1,400 CrushFTP Servers Actively Exploited