Support Content Notification - Support Portal

Protection mechanisms (CVE-2024-4159)

Product/Component

Brocade Fabric OS

1 more products

Notification Id

23282

Last Updated

25 April 2024

Initial Publication Date

25 April 2024

Status

OPEN

Severity

MEDIUM

CVSS Base Score

4.3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WorkAround

Affected CVE

CVE-2024-4159

Brocade Security Advisory ID	BSA-2024-2573
Component	Docker

Summary

Brocade SANnav before v2.3.0a lacks protection mechanisms on port 2377/TCP and 7946/TCP, which could allow an unauthenticated attacker to sniff the SANnav Docker information.

Products Affected

Brocade SANnav before Brocade SANnav v2.3.0a

Solution

A security update is released in Brocade SANnav v2.3.1 and v2.3.0a
The Brocade SANnav v2.3.1 installation guide is updated with sample IPTABLE rules for a customer to create, selectively opening the ports for FOS switches and closing the rest. More information can be found at: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/fc-networking/software-sannav/sannav-231x-mp-install.pdf
Brocade SANnav versions prior to v2.3.0a can run the following steps:

For IPv4:
iptables -A SANNAV-CHAIN -s <source IP Address/subnet> -i <interface-to-block> -p <protocol> -m <protocol> --dport <port> -j ACCEPT

iptables -A SANNAV-CHAIN -i <interface-to-block> -p <protocol> -m <protocol> --dport <port> -j DROP

Examples:

iptables -A SANNAV-CHAIN -s x.x.x.x/32 -i eth0 -p tcp -m tcp --dport 19094 -j ACCEPT

iptables -A SANNAV-CHAIN -i eth0 -p tcp -m tcp --dport 19094 -j DROP

For IPv6:
ip6tables -A SANNAV-CHAIN -s <source IP Address/subnet> -i <interface-to-block> -p <protocol> -m <protocol> --dport <port> -j ACCEPT

ip6tables -A SANNAV-CHAIN -i <interface-to-block> -p <protocol> -m <protocol> --dport <port> -j DROP

Examples:

ip6tables -A SANNAV-CHAIN -s x.x.x.x/32 -i eth0 -p tcp -m tcp --dport 19094 -j ACCEPT

ip6tables -A SANNAV-CHAIN -i eth0 -p tcp -m tcp --dport 19094 -j DROP

Contact Brocade TAC for additional assistance.

Credit

Pierre Barre reported the issue to Brocade

Revision History

Version	Change	Date
1.0	Initial Publication	April 24, 2024
2.0	update to include IPTABLES rules and change CVSS Score	April 25, 2024

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.