CVE-2024-29960 MEDIUM

CVE-2024-29960: Identical SSH keys utilized inside the OVA image (CVE-2024-29960)

Vendor Brocade
Product Brocade SANnav
Weakness CWE-798 · Hardcoded credentials
Published April 19, 2024
Last update August 2, 2024

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav.

Key dates

02Disclosure timeline

April 19, 2024 CVE published
August 2, 2024 Record updated