By default, SANnav OVA is shipped with root user login enabled (CVE-2024-2859)
23245
30 April 2024
16 April 2024
CLOSED
MEDIUM
6.8 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2024-2859
|
Brocade Security Advisory ID |
BSA-2024-2560 |
|
Component |
OpenSSH |
|
|
|
Summary
By default, SANnav OVA is shipped with root user login enabled.
Product Affected
All Brocade OVA SANnav versions
Mitigation
Starting with SANnav OVA version v2.3.0 and later versions, a root account is not required for installation and management of the SANnav.
If an administrator is uncomfortable allowing users to log in as root, then they can follow a best practice where root is disabled as shown below:
Best practice recommendation for use on SANnav OVA versions v2.3.0 and later:
Step 1: Before installing SANnav, login as a root user and create a local sudo user.
Step 2: Edit the OpenSSH configuration file (/etc/ssh/sshd_config) to disable root login (PermitRootLogin no).
Step 3: Restart sshd (systemctl restart sshd).
Step 4: Logout from root, and login as the created sudo user.
Step 5: Start SANnav installation
Credit
- Brocade found the issue through internal penetration testing and fixed it in Brocade SANnav v2.3.0.
- Pierre Barre reported the issue to Brocade later.
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
4/16/2024 |
|
2.0 |
Added mitigation steps |
4/26/2024 |
|
2.1 |
Minor grammer edits |
4/30/2024 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.