Security experts at Levono have spotted a firmware backdoor, tracked CVE-2017-3765, in RackSwitch and BladeCenter networking switch families during an internal security audit.
An authentication bypass affects only in RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System), the tech giant promptly addressed it with firmware updates last week.
The Enterprise Network Operating System (ENOS) is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches.
According to the security advisory published by Lenovo, the backdoor (dubbed “HP backdoor”) was added to ENOS in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit.
The backdoor was intentionally inserted by Nortel that added it at the request of a BSSBU OEM customer.
“An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions.” states the security advisory.
“A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.”
The backdoor was never removed from the firmware even after three acquisitions of the unit. Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT), IBM acquired BNT in 2010, and Lenovo bought IBM’s BNT portfolio in 2014 … but the HP backdoor was never removed.
This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. the exploitation of the backdoor could grant the attacker admin-level access.
Below the list of ENOS interfaces and authentication configurations affected by the issue:
Lenovo has provided the firmware source code to a third-party security partner to enable independent investigation of the issue, the company declined any responsibility and expressed its disappointment for the presence of the backdoor:
“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.” continues the advisory
“Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.”
Lenovo released firmware updates for both newer and older (IBM-branded) RackSwitch and BladeCenter networking switch families.
The full list of impacted switches and associated links for the latest firmware were included in the advisory.
Lenovo confirmed that the backdoor doesn’t affect the switches running CNOS (Cloud Network Operating System).
(Security Affairs –Lenovo Switches, backdoor)