Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

April 26, 2024 at 11:12AM

Several security vulnerabilities were disclosed in the Brocade SANnav storage area network (SAN) management application, impacting all versions up to and including 2.3.0. These flaws allowed attackers to intercept credentials, execute arbitrary commands, and carry out supply chain attacks. The issues have been addressed in SANnav version 2.3.1 and patches have been released by Brocade’s parent company Broadcom and Hewlett Packard Enterprise for related products.

Key takeaways from the meeting notes:

1. Numerous security vulnerabilities in the Brocade SANnav storage area network (SAN) management application were disclosed, impacting all versions up to and including 2.3.0.
2. Independent security researcher Pierre Barre identified 18 flaws, including incorrect firewall rules, insecure root access, Docker misconfigurations, and a lack of authentication and encryption, enabling attackers to intercept credentials, overwrite files, and breach devices.
3. Some of the most severe flaws mentioned in the meeting notes include CVE-2024-2859, CVE-2024-29960, CVE-2024-29961, CVE-2024-29963, and CVE-2024-29966.
4. Following responsible disclosure in August 2022 and May 2023, the vulnerabilities were addressed in SANnav version 2.3.1 in December 2023. Advisories have been released by Broadcom, the parent company of Brocade, Symantec, and VMware, as well as Hewlett Packard Enterprise.
5. Hewlett Packard Enterprise has already shipped patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.

Full Article