hard-coded credential in the documentation that appear as the root password (CVE-2024-29966).
23255
30 April 2024
17 April 2024
CLOSED
HIGH
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29966
Brocade Security Advisory ID |
BSA-2024-2569 |
Component |
hard-coded credential |
|
|
Summary
Brocade SANnav OVA provides a Linux root account for use during the initial installation and management of the SANnav product. The default password for the root account is documented in the SANnav installation guide. This could allow an unauthenticated attacker full access to a Brocade SANnav OVA if the root password is not changed from default by the Admin after installing the SANnav product.
Products Affected
Brocade SANnav before v2.3.0a
Solution
Security update provided in Brocade v2.3.1, v2.3.0a and later releases will force the user to change the root password after first login.
Credit
Pierre Barre reported the issue to Brocade.
Revision History
Version |
Change |
Date |
1.0 |
Initial Publication |
4/16/2024 |
1.1 |
Re-worded summary and solution statements to provide more clarity about the issue and the solution |
4/30/2024 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.