CVE-2024-2240
📋 TL;DR
The Docker daemon in Brocade SANnav management software versions before 2.3.1b runs without auditing enabled. This allows remote authenticated attackers to execute various attacks without detection. Organizations using Brocade SANnav for storage area network management are affected.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could execute arbitrary code, manipulate SAN configurations, exfiltrate sensitive data, or disrupt storage operations without leaving audit trails.
Likely Case
Privileged users or compromised accounts could make unauthorized configuration changes, access sensitive SAN data, or disrupt operations while evading detection.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized actions being unlogged, but malicious activity could still be detected through other means.
🎯 Exploit Status
Requires authenticated access to the SANnav interface. Attackers would need to understand Docker commands and SANnav architecture to execute meaningful attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SANnav 2.3.1b
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25401
Restart Required: No
Instructions:
1. Download SANnav 2.3.1b from Broadcom support portal. 2. Follow SANnav upgrade procedures documented in the SANnav Installation and Upgrade Guide. 3. Verify the Docker daemon now has auditing enabled.
🔧 Temporary Workarounds
Enable Docker auditing manually
LinuxManually configure Docker daemon auditing to log all Docker commands and API calls
Configure auditd rules for Docker: auditctl -w /usr/bin/docker -k docker
auditctl -w /var/lib/docker -k docker
auditctl -w /etc/docker -k docker
🧯 If You Can't Patch
- Implement strict access controls to limit SANnav access to only necessary personnel
- Deploy network segmentation to isolate SANnav management traffic and restrict access to Docker ports
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via web interface or CLI. Versions before 2.3.1b are vulnerable.Check Version:
From SANnav CLI: san-nav version or check web interface About pageVerify Fix Applied:
Verify SANnav version is 2.3.1b or later. Check Docker audit logs exist and contain Docker command entries.📡 Detection & Monitoring
Log Indicators:
- Missing Docker audit logs in system logs
- Unexpected Docker commands from SANnav users
- Configuration changes without corresponding audit entries
Network Indicators:
- Unusual Docker API traffic from SANnav management IPs
- Unexpected connections to Docker daemon port 2375/2376
SIEM Query:
source="auditd" NOT "docker" AND (process="docker" OR path="/usr/bin/docker")