May 7, 2024
Severe Flaws Disclosed in Brocade SANnav SAN Management Software
Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules,

Apr 26, 2024NewsroomSupply Chain Attack / Software Security

Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances.

The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them.

The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device.

Some of the most severe flaws are listed below –

  • CVE-2024-2859 (CVSS score: 8.8) – A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device using the root account and execute arbitrary commands
  • CVE-2024-29960 (CVSS score: 7.5) – The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt the SSH traffic to the SANnav appliance and compromise it.
  • CVE-2024-29961 (CVSS score: 8.2) – A vulnerability that can allow an unauthenticated, remote attacker to stage a supply chain attack by taking advantage of the fact the SANnav service sends ping commands in the background at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to check for updates
  • CVE-2024-29963 (CVSS score: 8.6) – The use of hard-coded Docker keys in SANnav OVA to reach remote registries over TLS, thereby allowing an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic
  • CVE-2024-29966 (CVSS score: 7.5) – The presence of hard-coded credentials for root users in publicly-available documentation that could permit an unauthenticated attacker full access to the Brocade SANnav appliance.

Following responsible disclosure twice in August 2022 and May 2023, the flaws have been addressed in SANnav version 2.3.1 released in December 2023. Brocade’s parent company Broadcom, which also owns Symantec and VMware, released advisories for the flaws earlier this month.

Hewlett Packard Enterprise has also

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

New Case Study: The Malicious Comment New Case Study: The Malicious Comment

New Case Study: The Malicious Comment

Google Simplifies 2-Factor Authentication Setup (It’s More Important Than Ever) Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Google Simplifies 2-Factor Authentication Setup (It’s More Important Than Ever)

Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering

Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

You may have missed

Amazon Great Summer Sale Ends Soon: See Top Deals on Efficient Appliances Amazon Great Summer Sale Ends Soon: See Top Deals on Efficient Appliances

Amazon Great Summer Sale Ends Soon: See Top Deals on Efficient Appliances

Amazon Great Summer Sale 2024: Best Deals On Home Security Products Amazon Great Summer Sale 2024: Best Deals On Home Security Products

Amazon Great Summer Sale 2024: Best Deals On Home Security Products

Realme to Bring Back Its GT Series to India With the GT 6 Lineup Realme to Bring Back Its GT Series to India With the GT 6 Lineup

Realme to Bring Back Its GT Series to India With the GT 6 Lineup

Heres What You Need To Know About The Dominion V. Fox News Trial That Starts This Week

Heres What You Need To Know About The Dominion V. Fox News Trial That Starts This Week

Moomoo’s Renewed Nasdaq Partnership Enhances Client Trading Experience

Moomoo’s Renewed Nasdaq Partnership Enhances Client Trading Experience

5 Technologies That Could Be Worth $220 Trillion By 2030, Cathie Wood’s ARK Predicts: ‘The Time Is Now’

5 Technologies That Could Be Worth $220 Trillion By 2030, Cathie Wood’s ARK Predicts: ‘The Time Is Now’