HTTPS configuration between Brocade SANnav Management Portal and Brocade SAN switches (no CVE)
Brocade Security Advisory ID |
BSA-2024-2574 |
Component |
HTTPS configuration |
|
|
Summary
A security researcher reported a lack of encryption in Brocade SANnav for management protocol (HTTP). The researcher states:
By default, the appliance can be installed with these options:
To configure HTTP or HTTPS connections between SANnav Management Portal and SAN switches, select one of the following options:
0 For HTTP
1 For HTTPS (SAN switches must be configured for HTTPS connection)
2 For HTTPS first then HTTP (if HTTPS fails)
The options 0 and 2: Fall-back to an insecure protocol are insecure. Consequently, an attacker can block HTTPS connections and retrieve the passwords of switches over HTTP.
It was observed that the test SANnav appliance connects to remote switches using a clear-text network protocol (HTTP) if the option 2 is set and the HTTPS traffic is blocked. This allows an attacker to retrieve passwords of devices by sniffing the network.
Brocade Response
During Brocade SANnav installation, a prompt requests several times to select an option from various settings. A Brocade SANnav upgrade from an earlier version of SANnav keeps the settings from the previous installation.
A SANnav admin can always configure https later with the CLI. (See SANnav Management Console in the Brocade SANnav documentation for information)
At the Prompt: “Select an option to configure HTTP or HTTPS connections between SANnav and the SAN switches" Broadcom recommends selecting Option 1 for HTTPS.
- 1 for HTTPS (Secure communication. Requires that you have a Certificate Authority (CA)-provided SSL certificate or self-signed certificate and that your switches are configured for HTTPS.)
Notes:
- Configure the Brocade Switch for HTTPS.
- Starting from Brocade Fabric OS v9.1.1, at the factory, HTTPS is enable by default.
- In Brocade Fabric v9.2.0, the default setting is HTTPS.
Contact Brocade TAC for additional assistance if required.
Revision History
Version |
Change |
Date |
1.0 |
Initial Publication |
4/24/2024 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.