After a 19-month saga going back-and-forth over multiple vulnerabilities in Brocade’s SANnav management application, security researcher Pierre Barre said Broadcom — which acquired Brocade in 2017 — finally patched the flaws this April, 11 months after first acknowledging the bugs.
Barre noted in a blog post that three of the 18 flaws he discovered could let attackers send malicious data and intercept credentials sent in clear-text, potentially compromising the entire SANnav Fibre Channel infrastructure.
SecurityWeek reported that the first security issue exists because the SANnav virtual machine lacks proper security measures, including a firewall by default. This can potentially let attackers reach APIs for the Apache Kafka event streaming platform. The other two issued stem from the use of HTTP as the management protocol if HTTPS gets blocked, and in syslog traffic being sent in clear-text.
“Brocade clearly has their own security program issues in the engineering team by not patching their products and forcing a password change upon the first login, having unsafe technologies, such as HTTP, sending information in clear-text, not having a configured firewall, and backdoor user accounts,” explained Guy Rosenthal, vice president of product at DoControl. “In the end, this attack was easy to execute, as well as being easy to avoid.”
Barre explained that he first delivered his security assessment in September 2022 to Brocade support via Dell, but it was rejected by Brocade because it didn't address the latest version of SANnav at that time.
“Luckily, I was able to get access to the latest version of SANnav in May 2023 and confirmed that all the previously rejected vulnerabilities were still present. As a bonus point, I was able to find three additional zero-day vulnerabilities while updating the report,” wrote Barre.
The updated report confirming all the vulnerabilities was sent to Brocade PSIRT in May 2023 and they finally acknowledged and patched the vulnerabilities.
“The delays in issuing patches for the SANnav appliance vulnerabilities can be attributed to several factors,” said Callie Guenther, senior manager of threat research at Critical Start. “First, the complexity of the flaws themselves — given their variety and severity — likely required significant time to develop effective patches. These patches needed to be robust enough not to disrupt existing deployments or introduce new vulnerabilities.”
Guenther added that resource allocation might have influenced the timing. Depending on the vendor's priorities and available resources, Guenther said addressing these vulnerabilities might not have been immediate, particularly if the severity of the issues was initially underestimated. Finally, Guenther said extensive verification and testing are crucial to ensure that the patches are effective and do not introduce further issues, especially in complex environments like SAN management.
“This thorough testing process can also contribute to delays in the patch release,” said Guenther.
