Multiple Brocade SANnav SAN Management SW flaws allow device compromise

Multiple flaws in Brocade SANnav storage area network (SAN) management application can allow to compromise impacted appliances.

Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.

The following vulnerabilities, discovered by the security researcher Pierre Barre, impact all versions up to 2.3.0 (included):

1. CVE-2024-4159 – Incorrect firewall rules
2. non-assigned CVE vulnerability – Lack of encryption for management protocol (HTTP)
3. CVE-2024-4161 – Syslog traffic sent in clear-text
4. CVE-2024-29966 – Insecure root access
5. non-assigned CVE vulnerability – Insecure sannav access
6. CVE-2024-2859 – Insecure SSH configuration
7. CVE-2024-29961 – Suspicious network traffic (ignite.apache.org)
8. non-assigned CVE vulnerability – Lack of authentication in Postgres
9. CVE-2024-29967 – Insecure Postgres Docker instance
10. CVE-2024-29967 – Insecure Docker instances
11. CVE-2024-29964 – Insecure Docker architecture and configuration
12. CVE-2024-29965 – Insecure Backup process
13. CVE-2024-4159 – Inconsistency in firewall rules
14. CVE-2024-29962 – Insecure file permissions
15. CVE-2024-4173 – Kafka reachable on the WAN interface and Lack of authentication
16. CVE-2024-29960 – Hardcoded SSH Keys
17. CVE-2024-29961 – Suspicious network traffic (www.gridgain.com)
18. CVE-2024-29963 – Hardcoded Docker Keys

The most severe flaw is an Insecure SSH configuration tracked as CVE-2024-2859 (CVSS score of 8.8). An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands.

Another severe issue is related to the presence of Hardcoded Docker Keys tracked as CVE-2024-29963 (CVSS score of 8.6).

Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. According to the advisory published by Broadcom, Brocade SANnav doesn’t have access to remote Docker registries, and knowledge of the keys is a minimal risk as SANnav is prevented from communicating with Docker registries.

“The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.

“Luckily, I was able to get access to the latest version of SANnav in May 2023 (the latest version was 2.2.2 then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 and as a bonus point, I was able to find 3 additional 0-day vulnerabilities while updating the report. An updated report confirming all the vulnerabilities in the 2.2.2 version was sent to Brocade PSIRT in May 2023 and they finally aknowledged the vulnerabilities. The patches were released in April 2024, 19 months after Brocade firstly rejected the vulnerabilities and 11 months after Brocade acknowledged the vulnerabilities. An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Brocade)