During an internal security audit, security experts at Levono have identified a firmware backdoor in RackSwitch and BladeCenter networking switch families. This China based company released firmware updates during 2nd week of this January 2018 to fix this network switch backdoor.
Backdoor Added in 2004 in ENOS
The firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches is known as The Enterprise Network Operating System (ENOS).
According to the security advisory published by Lenovo, the backdoor (dubbed “HP backdoor”) was added to ENOS in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit.
Lenovo claims Nortel might have authorized the the backdoor to be added to the system “at the request of a BSSBU OEM customer.” The backdoor code remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT). The backdoor also remained in the source code even after IBM’s acquisition of BNT in 2010. IBM’s BNT portfolio was acquired by Lenovo in 2014.
While during local authentication for using credentials under certain circumstances. this backdoor can be accessed. Proper exploitation of this vulnerability could grant admin-level access to the attacker.
Following ENOS interfaces and authentication configurations are affected by the issue:
- Telnet and Serial Consoles during local authentication, or the combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances
- SSH for some certain firmware versions released during May 2004 to June 2004 when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances.
- Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances
Updates Released to Remove Backdoor
Lenovo released updates for both family of switches. The list of switches for which firmware updates have been released, along with download links for the firmware, are available in this Lenovo security advisory.
“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices,” Lenovo said. “Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”
Lenovo confirmed that this network switch backdoor doesn’t affect CNOS (Cloud Network Operating System), so switches running this OS are safe.
This issue is tracked under the CVE-2017-3765 identifier.