Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.
The following vulnerabilities, discovered by the security researcher Pierre Barre, impact all versions up to 2.3.0 (included):
The most severe flaw is an Insecure SSH configuration tracked as CVE-2024-2859 (CVSS score of 8.8). An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands.
Another severe issue is related to the presence of Hardcoded Docker Keys tracked as CVE-2024-29963 (CVSS score of 8.6).
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. According to the advisory published by Broadcom, Brocade SANnav doesn’t have access to remote Docker registries, and knowledge of the keys is a minimal risk as SANnav is prevented from communicating with Docker registries.
“The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.
“Luckily, I was able to get access to the latest version of SANnav in May 2023 (the latest version was 2.2.2 then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 and as a bonus point, I was able to find 3 additional 0-day vulnerabilities while updating the report. An updated report confirming all the vulnerabilities in the 2.2.2 version was sent to Brocade PSIRT in May 2023 and they finally aknowledged the vulnerabilities. The patches were released in April 2024, 19 months after Brocade firstly rejected the vulnerabilities and 11 months after Brocade acknowledged the vulnerabilities. An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Brocade)