Several security vulnerabilities disclosed in Brocade SANnav storage spot network (SAN) management software could be exploited to compromise prone appliances.
The 18 flaws effects all versions up to and like 2.3., according to impartial security researcher Pierre Barre, who found out and documented them.
The issues selection from incorrect firewall principles, insecure root entry, and Docker misconfigurations to lack of authentication and encryption, so letting an attacker to intercept credentials, overwrite arbitrary documents, and entirely breach the gadget.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Some of the most severe flaws are detailed under –
- CVE-2024-2859 (CVSS score: 8.8) – A vulnerability that could make it possible for an unauthenticated, remote attacker to log in to an influenced system employing the root account and execute arbitrary commands
- CVE-2024-29960 (CVSS score: 7.5) – The use of difficult-coded SSH keys in the OVA impression, which could be exploited by an attacker to decrypt the SSH targeted traffic to the SANnav appliance and compromise it.
- CVE-2024-29961 (CVSS score: 8.2) – A vulnerability that can permit an unauthenticated, distant attacker to phase a source chain attack by having advantage of the reality the SANnav assistance sends ping instructions in the qualifications at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to check out for updates
- CVE-2024-29963 (CVSS rating: 8.6) – The use of really hard-coded Docker keys in SANnav OVA to get to remote registries around TLS, thus letting an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic
- CVE-2024-29966 (CVSS score: 7.5) – The presence of difficult-coded credentials for root buyers in publicly-obtainable documentation that could allow an unauthenticated attacker comprehensive entry to the Brocade SANnav appliance.
Subsequent dependable disclosure 2 times in August 2022 and May possibly 2023, the flaws have been tackled in SANnav version 2.3.1 launched in December 2023. Brocade’s mother or father enterprise Broadcom, which also owns Symantec and VMware, introduced advisories for the flaws earlier this month.
Hewlett Packard Business has also shipped patches for a subset of these vulnerabilities in HPE SANnav Administration Portal variations 2.3.0a and 2.3.1 as of April 18, 2024.
Found this report interesting? Abide by us on Twitter and LinkedIn to study far more special material we submit.
Some areas of this posting are sourced from:
thehackernews.com