CVE-2024-10404
📋 TL;DR
Brocade SANnav versions before 2.3.1b log sensitive information like passwords and SNMP secrets in clear text. This allows authenticated local attackers with administrative privileges to retrieve sensitive data from support files. The vulnerability affects Brocade SANnav management software users.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative credentials and SNMP secrets, enabling complete SAN infrastructure compromise, lateral movement, and data exfiltration.
Likely Case
Privileged insiders or attackers with local access extract credentials from support files, leading to unauthorized access to Brocade switches.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure requiring additional steps for exploitation.
🎯 Exploit Status
Exploitation requires administrative privileges and access to 'supportsave' files or the system where they're stored.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.1b
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25403
Restart Required: Yes
Instructions:
1. Download Brocade SANnav 2.3.1b from Broadcom support portal. 2. Backup current configuration. 3. Apply the update following Brocade SANnav upgrade procedures. 4. Restart the SANnav service/system.
🔧 Temporary Workarounds
Restrict access to support files
linuxLimit access to 'supportsave' files and directories containing support data to authorized administrators only.
chmod 600 /path/to/supportsave/files
chown root:root /path/to/supportsave/files
Disable unnecessary logging
allReview and disable logging of sensitive information in CalInvocationHandler if possible.
Review Brocade SANnav logging configuration and disable sensitive data logging
🧯 If You Can't Patch
- Implement strict access controls to limit who can access SANnav systems and support files.
- Monitor and audit access to support files and SANnav administrative interfaces for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via web interface or CLI. If version is below 2.3.1b, system is vulnerable.Check Version:
Check SANnav web interface or use 'sannav-version' command if available via CLI.Verify Fix Applied:
Verify SANnav version is 2.3.1b or higher. Check that sensitive data is no longer logged in clear text in support files.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to support files
- Multiple access attempts to 'supportsave' directories
- Administrative credential misuse following support file access
Network Indicators:
- Unusual SNMP traffic from SANnav systems
- Unexpected administrative access to Brocade switches
SIEM Query:
source="sannav" AND (event="file_access" AND file_path="*supportsave*") OR (event="auth_failure" AND user="admin")