Summary

Brocade SANnav ports used by Kafka are open for the entire wan vs being limited to only the Fabric OS switches discovered by the SANnav.  Additionally, in Brocade SANnav versions prior to version v2.2.0, the Kafka process is started as a root user using default credentials.

The vulnerability could allow an unauthenticated attacker to perform various attacks, including DOS against the Brocade SANnav.

Products Affected

• Brocade SANnav 

Note

• In supported SANnav versions, encrypted Kafka communication is enabled.

Remediation

• Solution provided in Brocade SANnav v2.2.0 and later versions no longer start Kafka as a root user.  In addition, the password must be customized during installation, and the previous default password is no longer accepted

Details: SANnav telemetry comprises two components, KAFKA and Schema Registry.

Option 1: Firewall

By adding firewall rules, users can selectively open the telemetry (KAFKA and Schema Registry) ports (19094, 19095, 18081 & 18082) for communication from FOS switches. The SANnav Management Portal installation guide has a section titled “Ports that Must Be Open in the Firewall,” which has detailed information on which ports and in which direction these ports need to be opened.

Option 2: IPtables

SANnav Management Portal leaves telemetry (KAFKA and Schema Registry) ports (19094, 19095, 18081 & 18082) open by default. Users can choose to close these ports and open them for selective sources. Below is the syntax and procedure for closing and selectively opening these ports for communication from managed switches.

Note: Reboot of the operating system clears all the manually created IPTABLE rules. After every reboot, users need to recreate the rules again.

Below are the common scenarios and steps.

1. Block Telemetry access for sources outside the SANnav VM / Host:

iptables -N TELEMETRY-CHAIN

iptables -A INPUT -p tcp -j TELEMETRY-CHAIN 

iptables -A TELEMETRY-CHAIN -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -j DROP

Important Note: If your VM or Host network interface has a different name than eth0, please replace the value for “-i” option accordingly. To find the interface name, run the “ifconfig” command and get the name of the interface to which SANnav IP address belongs.

2. Open Telemetry access for the entire source IP subnet:

• Step 1: Block Telemetry access for all sources from outside the SANnav VM / Host. Follow the instructions given above (#1).
• Step 2: Open the telemetry access for a subnet of your choice
  • iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -s <ipaddress/subnet> -j ACCEPT
  • Example: iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -s 192.19.0.0/24 -j ACCEPT
• Step 3: Repeat step 2 for each of the subnets you want to open.

Important Note: If your environment has IPV6 enabled, please run the same commands prefixing with “ip6tables” instead of “iptables”

3. Open Telemetry access for a range of source IP Addresses:

• Step 1: Block Telemetry access for all sources from outside the SANnav VM / Host. Follow the instructions given above (#1).
• Step 2: Open the telemetry access for a range of IP addresses of your choice

• • iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -–match iprange --src-range <Starting IP Address>-<End IP Address> -j ACCEPT
  • Example:iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 --match iprange --src-range 192.19.0.1-192.19.0.200 -j ACCEPT

• Step 3: Repeat step 2 for each of the IP ranges you want to open.

4. Open Telemetry access for a single source IP Address or multiple IP addresses separated by a comma:

• Step 1: Block Telemetry access for all sources from outside the SANnav VM / Host. Follow the instructions given above (#1).
• Step 2: Open the telemetry access for the single source IP Address or multiple IP addresses separated by a comma
  • iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -s ipaddress1,ipaddress2… -j ACCEPT 
  • Example:iptables -I TELEMETRY-CHAIN 1 -i eth0 -p tcp -m tcp --match multiport --dports 18081,18082,19094,19095 -s 192.19.0.1,192.19.0.2,192.19.0.3 -j ACCEPT

Note: Please remember to add an “iptable” rule(s) that allows telemetry streaming whenever a new switch is discovered in SANnav.

• Step 3: Repeat step 2 for each of the IP ranges you want to open.

5. Delete / Flush all the rules and reset: 

• The below steps will delete all the “iptable” rules created and open the access for all Telemetry ports.

iptables -F TELEMETRY-CHAIN

iptables -D INPUT -p tcp -j TELEMETRY-CHAIN

iptables -X TELEMETRY-CHAIN

6. Delete IPTABLE rule: 

• Step 1: Identify the rule you want to delete. Execute “iptable -S | grep <search_string_ipaddress>”

Example: iptables -S | grep 192.19.0.3

Sample Output:

-A TELEMETRY-CHAIN -s 192.19.0.3 -i eth0 -p tcp -m tcp -m multiport --dports 18081,18082,19094,19095 -j ACCEPT

• Step 2: Delete the rule.

iptables -D  TELEMETRY-CHAIN -s 192.19.0.3 -i eth0 -p tcp -m tcp -m multiport --dports 18081,18082,19094,19095 -j ACCEPT

• If assistance is required to restrict IP access, contact your service provider.

Credit

Pierre Barre reported the issue to Brocade 

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.