CVE-2025-12679
📋 TL;DR
This vulnerability exposes the Password-Based Encryption (PBE) key in plaintext within system audit logs during migration operations in Brocade SANnav. Only remote authenticated attackers with privileged access to the server's audit logs can exploit this to potentially decrypt sensitive data. The vulnerability affects Brocade SANnav installations undergoing migration, not new installations.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
Sannav by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
An attacker with access to audit logs could obtain the PBE key and decrypt sensitive encrypted data stored or transmitted by SANnav, potentially leading to data exposure or further system compromise.
Likely Case
A privileged server administrator could inadvertently expose the PBE key through audit log access, potentially compromising encryption of SANnav data if the key is misused.
If Mitigated
With proper access controls limiting audit log access to trusted administrators only, the risk is significantly reduced as the key exposure remains within controlled administrative channels.
🎯 Exploit Status
Exploitation requires: 1) Migration operation occurring, 2) Authenticated privileged access to server audit logs, 3) Ability to locate and extract the PBE key from logs
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0b
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845
Restart Required: Yes
Instructions:
1. Download Brocade SANnav version 2.4.0b or later from Broadcom support portal. 2. Backup current configuration and data. 3. Apply the update following vendor documentation. 4. Restart SANnav services. 5. Verify successful update and functionality.
🔧 Temporary Workarounds
Restrict Audit Log Access
allLimit access to server audit logs to only essential administrators during migration operations
# Use appropriate OS commands to restrict log directory permissions
# Example for Linux: chmod 600 /var/log/audit/*
# Example for Windows: icacls audit_log_directory /deny users:(R,W)
Monitor Migration Operations
allImplement monitoring for migration activities and review audit logs for PBE key exposure
# Set up log monitoring for migration-related activities
# Example: grep -i 'migration\|pbe' /var/log/audit/audit.log
🧯 If You Can't Patch
- Restrict access to server audit logs to minimum necessary administrators only
- Avoid performing migrations until patch can be applied, or perform migrations in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check SANnav version: If version is earlier than 2.4.0b and system has undergone migration, it is vulnerable. Review audit logs for PBE key exposure during migration periods.Check Version:
# From SANnav CLI or web interface, check version information
# CLI: sanav --version
# Web interface: Navigate to Administration > System InformationVerify Fix Applied:
1. Verify SANnav version is 2.4.0b or later. 2. Perform test migration and check audit logs confirm PBE key is not exposed in plaintext. 3. Validate encryption functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Plaintext PBE key strings in audit logs
- Migration operation logs followed by encryption key exposure
- Unauthorized access attempts to audit log files
Network Indicators:
- Unusual access patterns to log server or SANnav management interfaces during migration periods
SIEM Query:
source="audit.log" AND ("PBE" OR "encryption key" OR "migration") AND NOT "encrypted"