CVE-2025-6390
📋 TL;DR
Brocade SANnav versions before 2.4.0a log passwords and PBE keys in local server audit logs under specific conditions. This allows server administrators (but not SANnav users) to potentially access sensitive credentials. The vulnerability affects organizations using vulnerable SANnav versions for storage area network management.
💻 Affected Systems
- Brocade SANnav
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Server administrators could extract passwords and encryption keys from audit logs, potentially gaining unauthorized access to SANnav systems or decrypting sensitive data.
Likely Case
Accidental exposure of credentials to authorized server administrators who review audit logs, creating potential for credential misuse or insider threats.
If Mitigated
Limited impact with proper access controls and log management, as only server administrators can access these logs and they're not exposed to SANnav users.
🎯 Exploit Status
Exploitation requires existing server administrator privileges to access the local audit logs where credentials are logged.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SANnav 2.4.0a
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35909
Restart Required: Yes
Instructions:
1. Download SANnav 2.4.0a from Broadcom support portal. 2. Backup current configuration and data. 3. Deploy the updated version following Broadcom's upgrade documentation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict audit log access
linuxLimit access to server audit logs to only essential administrators and implement strict access controls.
# Use appropriate OS-specific access controls (e.g., chmod, ACLs) to restrict /var/log/audit or equivalent directories
Implement log monitoring and rotation
linuxRegularly monitor and rotate audit logs to limit exposure window of any logged credentials.
# Configure logrotate for audit logs with appropriate retention policies
🧯 If You Can't Patch
- Implement strict access controls on server audit log directories to limit exposure
- Regularly review and purge audit logs containing sensitive information
🔍 How to Verify
Check if Vulnerable:
Check SANnav version via SANnav web interface or CLI. Versions before 2.4.0a are vulnerable.Check Version:
Check SANnav web interface under Administration > About, or use SANnav CLI commands specific to version checking.Verify Fix Applied:
Verify SANnav version is 2.4.0a or later and check that passwords are no longer logged in audit logs under the same conditions.📡 Detection & Monitoring
Log Indicators:
- Audit logs containing password strings or PBE key material
- Unexpected access to server audit log files
Network Indicators:
- No network indicators - this is a local logging issue
SIEM Query:
Search for audit log access events or patterns indicating credential extraction from logs