CVE-2022-43936
📋 TL;DR
Brocade SANnav versions before 2.2.2 log switch passwords in plaintext when debugging is enabled. This allows attackers with access to logs to obtain credentials for Brocade Fabric OS switches. Organizations using Brocade SANnav for SAN management are affected.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials for Fabric OS switches, enabling complete compromise of SAN infrastructure including data access, configuration changes, and denial of service.
Likely Case
Internal attackers or those with log access harvest switch passwords, gaining unauthorized access to SAN switches for reconnaissance or limited configuration changes.
If Mitigated
With debugging disabled and proper log access controls, the vulnerability cannot be exploited even if present.
🎯 Exploit Status
Exploitation requires access to SANnav logs where passwords are stored in plaintext. No special tools needed beyond log access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2 or later
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21218
Restart Required: Yes
Instructions:
1. Download SANnav 2.2.2 or later from Broadcom support portal. 2. Backup current configuration. 3. Apply the update following vendor documentation. 4. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Disable Debug Logging
allDisable debugging functionality to prevent password logging
Navigate to SANnav GUI > Administration > System Settings > Debug Settings > Disable all debug options
Restrict Log Access
linuxImplement strict access controls on SANnav log files and directories
chmod 600 /var/log/sannav/*
setfacl -m u:sannav:r-- /var/log/sannav/*
🧯 If You Can't Patch
- Disable all debugging functionality immediately
- Implement strict access controls and monitoring for SANnav log files
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via GUI (Administration > System Information) or CLI 'sannav-version' command. If version < 2.2.2 and debugging is enabled, system is vulnerable.Check Version:
sannav-versionVerify Fix Applied:
Verify version is 2.2.2 or later and check that debugging remains disabled. Search logs for password strings to confirm they are no longer present.📡 Detection & Monitoring
Log Indicators:
- Plaintext passwords in SANnav debug logs
- Unauthorized access to log directories
- Suspicious login attempts to Fabric OS switches
Network Indicators:
- Unexpected connections to SAN switch management interfaces
- Anomalous SAN configuration changes
SIEM Query:
source="sannav" AND "password" AND ("debug" OR "log")