CVE-2020-15387
📋 TL;DR
This vulnerability affects Brocade Fabric OS and SANnav systems using SSH host keys shorter than 2048 bits, making SSH communications vulnerable to man-in-the-middle attacks. Attackers could intercept or manipulate SSH traffic between administrators and affected devices. Organizations using vulnerable Brocade storage networking products are affected.
💻 Affected Systems
- Brocade Fabric OS
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept administrative SSH sessions, capture credentials, execute unauthorized commands, and gain full control of storage network infrastructure.
Likely Case
Attackers on the same network segment could perform man-in-the-middle attacks against SSH connections to vulnerable devices, potentially gaining administrative access.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential SSH session interception on isolated network segments.
🎯 Exploit Status
Exploitation requires network access to intercept SSH traffic and ability to perform man-in-the-middle attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0 or later; SANnav v2.1.1 or later
Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1291
Restart Required: Yes
Instructions:
1. Download appropriate firmware from Broadcom support portal. 2. Backup current configuration. 3. Apply firmware update following vendor documentation. 4. Restart affected devices. 5. Verify SSH host keys are now 2048-bit or stronger.
🔧 Temporary Workarounds
Disable SSH access
allTemporarily disable SSH access to vulnerable devices and use alternative management methods.
no ssh enable
Network segmentation
allIsolate vulnerable devices on separate VLANs with strict access controls.
🧯 If You Can't Patch
- Implement strict network segmentation to limit SSH access to trusted administrative networks only.
- Deploy network monitoring and intrusion detection to detect man-in-the-middle attempts on SSH traffic.
🔍 How to Verify
Check if Vulnerable:
Check SSH host key length using 'ssh-keyscan' or examine SSH configuration for key generation settings.Check Version:
versionShow (Fabric OS) or equivalent version check commandVerify Fix Applied:
Verify firmware version is patched and check SSH host key length is 2048 bits or greater.📡 Detection & Monitoring
Log Indicators:
- SSH connection failures
- Unexpected SSH key warnings
- Multiple SSH authentication attempts
Network Indicators:
- Unusual SSH traffic patterns
- ARP spoofing detection
- SSH protocol anomalies
SIEM Query:
source="brocade_logs" AND (event_type="ssh_failure" OR event_type="ssh_warning")