Connect with us

Hi, what are you looking for?



Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking

The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password.

Multiple vulnerabilities in the Brocade SANnav storage area network (SAN) management application could be exploited to compromise the appliance and Fibre Channel switches, security researcher Pierre Barre warns.

The researcher identified a total of 18 flaws in the appliance, including unauthenticated flaws allowing remote attackers to log in to vulnerable devices as root. Of these, nine were assigned CVE identifiers: CVE-2024-2859 and CVE-2024-29960 through CVE-2024-29967.

According to the researcher, three of these issues could allow an attacker to send malicious data and to intercept credentials sent in clear-text, potentially compromising the entire Fibre Channel infrastructure.

The first issue exists because the SANnav VM lacks a firewall by default, thus allowing an attacker to reach APIs for the Apache Kafka event streaming platform. The other two are rooted in the use of HTTP as the management protocol if HTTPS is blocked, and in syslog traffic being sent in clear-text.

Barre also discovered that the appliance has two backdoor user accounts, namely ‘root’ and ‘sannav’, and that the password for root is publicly known, as it has been included in the product’s documentation. The same password can be used for the sannav account as well.

While reviewing the SANnav configuration, the researcher also discovered that root access is available by default, that insecure options have been set in an OpenSSH configuration file, and that the appliance is sending HTTPS requests to two domains at regular intervals, without explanation.

Furthermore, SANnav has Postgres running without authentication and accessible from any Docker instance, allowing an unauthenticated attacker to gain read and write access to the database and dump the dcmdb database, which contains sensitive information, including administrative credentials.

Issues in the Postgres Docker instance, Barre says, could allow an attacker to overwrite critical files in the host and to exfiltrate backup files. Furthermore, Docker instances within the appliance have read/write access to critical mount points, allowing an attacker to take over the appliance by replacing binaries in specific directories.

Advertisement. Scroll to continue reading.

Overall, SANnav uses 40 different Docker instances, and the researcher identified several vulnerabilities in them, including the fact that four instances have extensive permissions that could allow an attacker to take control of the appliance.

Additionally, Barre discovered that backup files expose credentials and configuration information and can be retrieved and mounted on malicious appliances, that SANnav has inconsistent firewall rules and insecure file permissions, that Kafka can be reached from the WAN interface, and that the appliance uses hardcoded SSH and Docker keys.

Barre initially discovered the flaws in 2022, in SANnav version 2.1.1, but his report was rejected, as Brocade had already released version 2.2.2 of the application and that had not been tested by the researcher. After confirming that the bugs were still present in the newer release, he re-submitted the report in May 2023.

The storage networking solutions provider acknowledged the issues and patched them in SANnav version 2.3.1, which was released in December 2023. Last week, Brocade parent company Broadcom published advisories detailing nine of the addressed flaws.

On April 18, Hewlett Packard Enterprise (HPE) announced that patches for eight of these flaws were included in HPE SANnav Management Portal versions 2.3.0a and 2.3.1.

Related: CrushFTP Patches Exploited Zero-Day Vulnerability

Related: Cisco Says PoC Exploit Available for Newly Patched IMC Vulnerability

Related: Brocade Vulnerabilities Could Impact Storage Solutions of Several Major Companies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.