Monday, November 4, 2024
HomeSecurity NewsLenovo Discovered a Backdoor in Network Switches Which Allows Attacker Could Perform...

Lenovo Discovered a Backdoor in Network Switches Which Allows Attacker Could Perform DDOS

Published on

Malware protection

Lenovo discovered a backdoor in network switches that powered by Enterprise Network Operating System firmware during the security audit by Lenovo in the Telnet and Serial Console management interfaces.

An Authentication bypass mechanism Backdoor also called “HP Backdoor” was discovered with some Lenovo and IBM RackSwitch and BladeCenter switch that allows attacker gain the switch management console interface.

This bypass mechanism can be accessed when performing local authentication under specific and unique circumstances.

- Advertisement - SIEM as a Service

If the flaw will be perfectly exploited that it gives direct admin levels access to the switch that leads to performing massive DDOS Attack.

Authentication Bypass mechanism added in 2004

This mechanism was added in 2004 to ENOS when its owned by Nortel’s Blade Server Switch Business Unit.

Also Read Cisco ETA – Provides Solution for Detecting Malware in Encrypted Traffic

Lenovo discovered this while source code revision and auditing history as confirmed the same.According to Lenovo Following ENOS interfaces and authentication configurations are vulnerable.

Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used

Circumstances

  • SSH in firmware released after June 2004 are not vulnerable
  • SSH and Web using only local authentication are not vulnerable
  • SSH, Web, Telnet, and Serial Console using LDAP, RADIUS, or TACACS+ without use of local authentication fallback are not vulnerable
  • Other management interfaces, such as SNMP, are not vulnerable

Lenovo Feels, the current authentication mechanism that is used in RackSwitch and  BladeCenter switches are being bypassed is completely unacceptable.

Mitigation – Lenovo

Lenovo Removed the source code that belongs to this authentication bypass mechanism and customers are advised to upgrade to the firmware which eliminates it.

If this firmware upgrade is not suddenly possible then customer adviced to following things.

  • Enable LDAP, RADIUS, or TACAS+ remote authentication AND
  • For any of LDAP, RADIUS, or TACAS+ that are enabled, disable the related “Backdoor” and “Secure Backdoor” local authentication fallback settings AND
  • Disable Telnet AND
  • Restrict physical access to the serial console port.

you can find the affected product version by this backdoor in Lenovo release a CVE() has been assigned( CVE-2017-3765) for this flaw.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users

A new critical vulnerability has been discovered in PDF.js, which could allow a threat...

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere

LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series...

Email Header Analysis – Verify Received Email is Genuine or Spoofed

Email Header Analysis highly required process to prevent malicious threats since Email is...