Brocade's SANnav Management Portal is a popular software suite that helps manage Fibre Channel fabrics in enterprise data centers. If you are running SANnav versions before v2.3.a, there’s a critical security problem you need to know about: CVE-2024-29964. Let's break down what’s wrong, how it can be abused, and what you should do right now.
What Is CVE-2024-29964?
CVE-2024-29964 is a vulnerability affecting Brocade SANnav Management Portal versions before v2.3.a. Due to wrong file permission settings, important files—including Docker configuration files—can be read by users who shouldn't have access. An unprivileged attacker who manages to log in or escalate local access could view data that should be secret, such as credentials, certificates, logs, and more.
System configuration info
If a bad actor gets their hands on this data, they can potentially take over services, move laterally within your network, or steal sensitive information.
How Does the Vulnerability Work?
The root of the issue is poor Linux/Unix file permissions: in Brocade SANnav <=2.3., some key files (like Docker configs, YAML, and secret files) are readable by any local user. These files might look like:
- /opt/brocade/sannav/docker/docker-compose.yml
- /opt/brocade/sannav/docker/.env
- /opt/brocade/sannav/conf/server.key
- /opt/brocade/sannav/config/database.conf
For example, the permissions might be
ls -l /opt/brocade/sannav/docker/docker-compose.yml
-rw-r--r-- 1 sannav sannav 1234 Mar 10 15:00 /opt/brocade/sannav/docker/docker-compose.yml
That -rw-r--r-- means *everyone* can read the file!
If an unprivileged user or a process running with basic permissions can read these files, they could, for example, steal database credentials.
Simple Exploit Example
Assume an attacker has access to a low-privileged shell account on the server running SANnav. They could simply:
# List files world-readable inside the sannav directory
find /opt/brocade/sannav/ -type f -perm -o=r 2>/dev/null
# For Docker config secrets
cat /opt/brocade/sannav/docker/.env
# For private TLS key
cat /opt/brocade/sannav/conf/server.key
If the /opt/brocade/sannav/docker/.env contains something like
POSTGRES_USER=admin
POSTGRES_PASSWORD=supersecretpassword
JWT_SECRET=verysecrettoken
Now the attacker has the database and internal authentication secrets!
Who’s Affected?
Any organization running Brocade SANnav Management Portal with version lower than 2.3.a. This includes managed hosting environments, on-prem installations, test, and production systems. Even if your system is behind a firewall, anyone with local access—including compromised users, malware, or rogue insiders—can abuse this.
How Do I Fix It?
Upgrade!
Brocade fixed this in version 2.3.a. Download and install the latest update from your Brocade support portal.
Check and Correct Permissions
For a manual, temporary fix, make sure sensitive files are only readable by the sannav user
# Set permissions for sensitive files
chmod 600 /opt/brocade/sannav/docker/.env
chmod 600 /opt/brocade/sannav/conf/server.key
# Or to recursively lock down everything under sannav to owner only
find /opt/brocade/sannav/ -type f -exec chmod 600 {} \;
find /opt/brocade/sannav/ -type d -exec chmod 700 {} \;
References
- Broadcom Brocade SANnav Portal Security Advisories
- CVE-2024-29964 at NVD
- Product Download Center
Final Thoughts
Vulnerabilities like CVE-2024-29964 are scary because they don’t require a lot of skill or fancy tools—just basic file access and know-how. Always keep your management infrastructure patched, and remember to audit file permissions on any sensitive applications.
If you’re running Brocade SANnav, check your version right now and make sure your files aren’t exposed!
Timeline
Published on: 04/19/2024 04:39:17 UTC
Last modified on: 06/04/2024 17:56:52 UTC