By default, SANnav OVA is shipped with root user login enabled (CVE-2024-2859)

By default, SANnav OVA is shipped with root user login enabled.

Product Affected

All Brocade OVA SANnav versions

Mitigation

Starting with SANnav OVA version v2.3.0 and later versions, a root account is not required for installation and management of the SANnav.

If an administrator is uncomfortable allowing users to log in as root, then they can follow a best practice where root is disabled as shown below:

Best practice recommendation for use on SANnav OVA versions v2.3.0 and later:

> Step 1: Before installing SANnav, login as a root user and create a local sudo user.

> Step 2: Edit the OpenSSH configuration file (/etc/ssh/sshd_config)to disable root login (PermitRootLoginno).

> Step 3: Restart sshd (systemctl restart sshd).

> Step 4: Logout from root, and login as the created sudo user.

> Step 5: Start SANnav installation

Credit

• Brocade found the issue through internal penetration testing and fixed it in Brocade SANnav v2.3.0.
• Pierre Barre reported the issue to Brocade later.