Summary

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Products Affected

• Brocade SANnav base OS (OVA deployment) before 2.4.0b and 3.0.0
• Brocade ASCG base OS (OVA deployment) before 3.4.0

Products Not Affected

• Brocade Fabric OS
  [VEX Justification: Component_not_present]
• Brocade SANnav standard deployment
  [VEX Justification: Component_not_present]
• Brocade ASCG standard deployment
  [VEX Justification: Component_not_present]

Solution

• Solution provided in Brocade ASCG 3.4.0
• Solution provided in Brocade SANnav OVA version 2.4.0b
• SANnav base OS Security update also provided in the sannav_ova_8x_os OVA patch which can be applied to all SANnav OVA releases 2.3.0 through 2.4.0a
• Security update provided in Brocade SANnav OS patch sannav_ova_9x_os_02_2026 that can be applied to Brocade SANnav 3.0.0

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.