CVE-2020-15382
📋 TL;DR
This vulnerability allows attackers to gain administrative access to Brocade SANnav's PostgreSQL database using a hard-coded weak password ('passw0rd') when no password was set during installation. This affects all Brocade SANnav deployments before version 2.1.1 where PostgreSQL was installed without a custom password.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the SANnav management system, allowing attackers to access, modify, or delete sensitive storage network configuration data, potentially disrupting SAN operations or enabling lateral movement to connected storage systems.
Likely Case
Unauthorized database access leading to information disclosure of SAN configuration, performance metrics, and potentially credentials for connected storage devices.
If Mitigated
Limited impact if strong network segmentation and access controls prevent external or unauthorized internal access to the PostgreSQL service.
🎯 Exploit Status
Exploitation requires network access to PostgreSQL port (default 5432) and knowledge of the hard-coded password. No authentication or special privileges needed beyond network connectivity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1 and later
Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1484
Restart Required: Yes
Instructions:
1. Download Brocade SANnav version 2.1.1 or later from Broadcom support portal. 2. Follow the upgrade procedure documented in the SANnav installation guide. 3. Verify PostgreSQL password is properly configured during upgrade.
🔧 Temporary Workarounds
Change PostgreSQL Password
linuxManually change the PostgreSQL administrator password to a strong, unique value
psql -U postgres -c "ALTER USER postgres WITH PASSWORD 'new_strong_password';"
Update SANnav configuration to use the new password
Network Access Control
linuxRestrict network access to PostgreSQL port (default 5432) using firewall rules
iptables -A INPUT -p tcp --dport 5432 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SANnav PostgreSQL service from untrusted networks
- Change PostgreSQL password immediately to a strong, unique value and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to connect to PostgreSQL on port 5432 using username 'postgres' and password 'passw0rd'. If connection succeeds, system is vulnerable.Check Version:
Check SANnav version in web interface or via 'sannav --version' if availableVerify Fix Applied:
Verify SANnav version is 2.1.1 or later via SANnav web interface or command line. Test that PostgreSQL no longer accepts 'passw0rd' as password.📡 Detection & Monitoring
Log Indicators:
- Failed or successful authentication attempts to PostgreSQL with username 'postgres'
- Unusual database queries or connections from unexpected IP addresses
Network Indicators:
- Connection attempts to port 5432 from unauthorized sources
- Brute-force attempts against PostgreSQL service
SIEM Query:
source="postgresql.log" AND ("authentication failed" OR "password authentication failed") AND user="postgres"