CVE-2020-15379
📋 TL;DR
This vulnerability in Brocade SANnav allows remote attackers to cause a denial-of-service condition by sending specially crafted data with excessive length for custom field names. The lack of proper input validation enables attackers to crash the service, disrupting SAN management functionality. Organizations using Brocade SANnav versions before 2.1.0a are affected.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of SANnav management interface, potentially affecting SAN monitoring and configuration capabilities until service restart.
Likely Case
Temporary denial-of-service affecting SANnav web interface and management functions, requiring service restart to recover.
If Mitigated
No impact if proper input validation is implemented or if the service is patched to version 2.1.0a or later.
🎯 Exploit Status
The vulnerability requires sending specially crafted requests to the SANnav web interface. No authentication is required, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0a and later
Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1319
Restart Required: Yes
Instructions:
1. Download SANnav version 2.1.0a or later from Broadcom support portal. 2. Backup current configuration. 3. Install the update following Broadcom's upgrade procedures. 4. Restart SANnav services to apply the patch.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to SANnav management interface to trusted IP addresses only
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [SANnav-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [SANnav-port] -j DROP
Disable Custom Fields
allDisable custom field functionality if not required for operations
Check SANnav documentation for disabling custom field features via configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SANnav from untrusted networks
- Deploy web application firewall (WAF) with input validation rules to block excessive length requests
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via web interface or CLI. If version is below 2.1.0a, system is vulnerable.Check Version:
From SANnav CLI: 'sannav version' or check via web interface under System InformationVerify Fix Applied:
Verify SANnav version is 2.1.0a or higher after patching. Test custom field creation with various input lengths to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Multiple failed requests with long field names
- SANnav service crash/restart logs
- Error messages related to input validation failures
Network Indicators:
- Unusual HTTP POST requests with excessively long parameter values to SANnav endpoints
- Multiple rapid requests to custom field endpoints
SIEM Query:
source="sannav.log" AND ("crash" OR "restart" OR "validation error") OR (http_method="POST" AND uri_path="*custom*" AND content_length>1000)