Lenovo discovered a firmware backdoor in RackSwitch and BladeCenter networking switch families during an internal security audit.
Security experts at Levono have spotted a firmware backdoor, tracked CVE-2017-3765, in RackSwitch and BladeCenter networking switch families during an internal security audit.
An authentication bypass affects only in RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System), the tech giant promptly addressed it with firmware updates last week.
The Enterprise Network Operating System (ENOS) is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches.
According to the security advisory published by Lenovo, the backdoor (dubbed “HP backdoor”) was added to ENOS in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit.
The backdoor was intentionally inserted by Nortel that added it at the request of a BSSBU OEM customer.
“An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions.” states the security advisory.
“A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.”
The backdoor was never removed from the firmware even after three acquisitions of the unit. Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT), IBM acquired BNT in 2010, and Lenovo bought IBM’s BNT portfolio in 2014 … but the HP backdoor was never removed.
This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. the exploitation of the backdoor could grant the attacker admin-level access.
Below the list of ENOS interfaces and authentication configurations affected by the issue:
- Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
- Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
- SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used
Lenovo has provided the firmware source code to a third-party security partner to enable independent investigation of the issue, the company declined any responsibility and expressed its disappointment for the presence of the backdoor:
“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.” continues the advisory
“Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.”
Lenovo released firmware updates for both newer and older (IBM-branded) RackSwitch and BladeCenter networking switch families.
The full list of impacted switches and associated links for the latest firmware were included in the advisory.
Lenovo confirmed that the backdoor doesn’t affect the switches running CNOS (Cloud Network Operating System).