CVE-2020-15377
📋 TL;DR
CVE-2020-15377 is a Server-Side Request Forgery (SSRF) vulnerability in Brocade SANnav Webtools that allows unauthenticated attackers to make requests to arbitrary internal or external hosts. This affects Brocade SANnav installations before version 2.1.1, potentially exposing internal network resources and services to unauthorized access.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
Sannav by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal systems, access sensitive data, perform internal reconnaissance, or exploit other vulnerabilities in internal services that wouldn't normally be internet-accessible.
Likely Case
Unauthenticated attackers scanning internal networks, accessing metadata services, or interacting with internal APIs to gather information about the environment.
If Mitigated
Limited to information disclosure about internal network structure and accessible services, with no direct access to sensitive data if proper network segmentation exists.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and require minimal technical skill; the unauthenticated nature makes this particularly dangerous
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1 and later
Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1480
Restart Required: Yes
Instructions:
1. Download SANnav version 2.1.1 or later from Broadcom support portal. 2. Follow the SANnav upgrade procedure documented in the installation guide. 3. Verify the upgrade completed successfully and Webtools is functioning.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to SANnav management interface to trusted IP addresses only
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport <sannav-port> -s <trusted-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <sannav-port> -j DROP
Reverse Proxy Filtering
allDeploy a reverse proxy that filters SSRF attempts before they reach SANnav
Configure nginx/apache to block requests with internal IP addresses or specific patterns
🧯 If You Can't Patch
- Isolate SANnav management interface on a dedicated VLAN with strict access controls
- Implement network segmentation to limit what internal resources SANnav can access
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via web interface or CLI; versions below 2.1.1 are vulnerableCheck Version:
From SANnav CLI: show version or check web interface administration pageVerify Fix Applied:
Confirm SANnav version is 2.1.1 or higher and test SSRF attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connections from SANnav to internal services
- Multiple failed authentication attempts followed by outbound requests
- Requests to internal IP ranges (10.x, 172.16.x, 192.168.x) from SANnav
Network Indicators:
- SANnav making requests to unexpected internal services
- Traffic from SANnav to metadata services (169.254.169.254)
- Outbound connections to non-standard ports from SANnav
SIEM Query:
source="sannav" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16 OR dest_ip=169.254.169.254)