CVE-2024-29957
📋 TL;DR
Brocade SANnav servers configured in Disaster Recovery mode store encryption keys in DR log files, creating an additional attack surface. Attackers who gain access to these log files could obtain encryption keys, potentially compromising encrypted data. This affects Brocade SANnav servers before version 2.3.1 and 2.3.0a.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain encryption keys from DR log files and decrypt sensitive SAN management data, leading to data exposure, unauthorized access to storage infrastructure, or manipulation of SAN configurations.
Likely Case
Attackers with existing access to the system extract encryption keys from log files, potentially escalating privileges or accessing encrypted configuration data.
If Mitigated
With proper access controls and log file protection, attackers cannot reach the DR log files, preventing key extraction even if the vulnerability exists.
🎯 Exploit Status
Exploitation requires access to DR log files, which typically means some level of system access is already achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.1 or 2.3.0a
Vendor Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/23241
Restart Required: Yes
Instructions:
1. Download Brocade SANnav version 2.3.1 or 2.3.0a from Broadcom support portal. 2. Backup current configuration. 3. Apply the update following Brocade SANnav upgrade procedures. 4. Restart the SANnav services or appliance as required.
🔧 Temporary Workarounds
Disable Disaster Recovery Mode
allIf Disaster Recovery functionality is not required, disable DR mode to eliminate the vulnerability.
Consult Brocade SANnav documentation for DR mode disable procedures
Restrict Access to DR Log Files
linuxApply strict file permissions to DR log directories to prevent unauthorized access.
chmod 600 /path/to/dr/logs/*
chown root:root /path/to/dr/logs/*
🧯 If You Can't Patch
- Implement strict access controls on DR log directories and files
- Monitor access to DR log files and alert on unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via web interface or CLI. If version is below 2.3.1 and not 2.3.0a, and DR mode is enabled, system is vulnerable.Check Version:
sannav-cli version or check web interface System > AboutVerify Fix Applied:
Verify SANnav version is 2.3.1 or 2.3.0a via admin interface. Confirm DR log files no longer contain encryption keys.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to DR log directories
- File read operations on DR log files by non-privileged users
Network Indicators:
- Unusual data exfiltration patterns from SANnav appliance
SIEM Query:
source="sannav" AND (event="file_access" AND path="*dr*log*") OR (user!="root" AND process="cat|less|more|tail" AND file="*dr*log*")