Several security vulnerabilities revealed in the Brocade SANnav storage network (SAN) management application could be exploited to compromise sensitive equipment.
According to independent security researcher Pierre Barre, who discovered and reported them, the 18 flaws affect all versions up to and including 2.3.0.
Issues range from faulty firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely hijack the device.
Some of the more serious defects are listed below:
- CVE-2024-2859 (CVSS Score: 8.8) – A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device by using the root account and execute arbitrary commands
- CVE-2024-29960 (CVSS Score: 7.5) – The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt SSH traffic to the SANnav appliance and compromise it.
- CVE-2024-29961 (CVSS Score: 8.2) – A vulnerability that could allow an unauthenticated, remote attacker to mount a supply chain attack by leveraging the fact that the SANnav service sends ping commands in the background at periodic intervals to gridgain domains[.]com and ignite.apache[.]org to check for updates
- CVE-2024-29963 (CVSS Score: 8.6) – The use of hardcoded Docker keys in SANnav OVA to reach remote registries over TLS, thus allowing an attacker to perform an adversary-in-the-middle (AitM) attack on the traffic
- CVE-2024-29966 (CVSS Score: 7.5) – The presence of hard-coded credentials for root users in publicly available documentation that could allow an unauthenticated attacker full access to the Brocade SANnav appliance.
Following responsible disclosure twice in August 2022 and May 2023, the flaws were fixed in SANnav version 2.3.1 released in December 2023. Brocade’s parent company Broadcom, which also owns Symantec and VMware, released defect alerts earlier this month.
Hewlett Packard Enterprise has also provided patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.
