CVE-2022-28168 – Brocade SANnav versions before v2.2.0.2 and v2.... (How to Fix)

Q: What is the severity of CVE-2022-28168?

CVE-2022-28168 has a CVSS score of 7.5 (HIGH). Brocade SANnav versions before v2.2.0.2 and v2.1.1.8 store SCP server passwords in log files using only Base64 encoding, which provides no real security. Attackers who gain access to these log files can easily decode and obtain the passwords. This affects organizations using vulnerable Brocade SANnav management software.

📋 TL;DR

Brocade SANnav versions before v2.2.0.2 and v2.1.1.8 store SCP server passwords in log files using only Base64 encoding, which provides no real security. Attackers who gain access to these log files can easily decode and obtain the passwords. This affects organizations using vulnerable Brocade SANnav management software.

💻 Affected Systems

Products:

Brocade SANnav

Versions: Versions before v2.2.0.2 and v2.1.1.8

Operating Systems: Not OS-specific - Brocade SANnav appliance/software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations where SCP server passwords are stored in logs.

📦 What is this software?

Sannav by Broadcom

View all CVEs affecting Sannav →

Sannav by Broadcom

View all CVEs affecting Sannav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain SCP server credentials, gain unauthorized access to storage systems, potentially compromising sensitive data or disrupting SAN operations.

🟠

Likely Case

Insiders or attackers with log file access decode passwords, gaining unauthorized SCP access to network storage resources.

🟢

If Mitigated

With proper access controls and log file protection, attackers cannot access the encoded passwords, preventing exploitation.

🌐 Internet-Facing: LOW - This requires access to log files, typically not internet-facing.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts with log access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Base64 decoding is trivial with any programming language or online tool.

Exploitation requires access to log files containing the encoded passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.0.2 or v2.1.1.8

Vendor Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Broadcom support portal. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart the SANnav service or appliance.

🔧 Temporary Workarounds

Restrict log file access

linux

Apply strict file permissions to SANnav log directories to prevent unauthorized access.

chmod 600 /var/log/sannav/*
chown root:root /var/log/sannav/*

Disable SCP server logging

all

Configure SANnav to not log SCP server password information.

Check Brocade documentation for specific logging configuration commands

🧯 If You Can't Patch

Implement strict access controls on SANnav log directories and files
Monitor and audit access to SANnav log files for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check SANnav version via web interface or CLI. If version is earlier than v2.2.0.2 or v2.1.1.8, system is vulnerable.

Check Version:

sannav --version or check web interface administration page

Verify Fix Applied:

After patching, verify version shows v2.2.0.2 or v2.1.1.8 or later. Check that SCP passwords are no longer stored in plain Base64 in logs.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to SANnav log files
Multiple failed SCP login attempts following log access

Network Indicators:

Unusual SCP connections from unexpected sources
Increased SCP traffic to storage systems

SIEM Query:

source="sannav_logs" AND (event="log_file_access" OR event="scp_auth")

📊 Metadata

CVE ID: CVE-2022-28168

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-922

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://security.netapp.com/advisory/ntap-20220627-0003/ Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979 Vendor Advisory
https://security.netapp.com/advisory/ntap-20220627-0003/ Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28168, you might also want to check these: