Lenovo patched a flaw in its networking operating system dating back to 2004 that allowed attackers to perform an authentication bypass attack via a mechanism called “HP Backdoor.” If exploited, an attacker could gain admin-level access on affected switches, Lenovo said.
The vulnerability is rated “high” and tied to Lenovo’s Enterprise Networking Operating System (ENOS), used in Lenovo and IBM RackSwitch and BladeCenter products.
Lenovo said the vulnerability was introduced to affected switches via a firmware update 14 years ago by the now-defunct Nortel Networks and its blade server and switch business unit. In 2010, Nortel sold the business unit to IBM who then sold it to Lenovo in 2014.
“An authentication bypass known as ‘HP Backdoor’ was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted,” according to the Common Vulnerabilities and Exposures description of the vulnerability (CVE-2017-3765).
Lenovo said the bypass mechanism was “unacceptable” and did not follow the company’s product security or industry practices. “Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products,” stated Lenovo in its security bulletin.
Through an investigation, Lenovo said it found the bypass function was intentionally added in 2004 by Nortel at the request of its OEM customer. Affected are 16 model IBM switches and 16 Lenovo switches, all listed in the advisory.
Lenovo also lists three scenarios where ENOS interfaces and authentication configurations are vulnerable. Briefly stated, each include authentication RADIUS and TACACS+ under certain circumstances.
The vulnerability was identified on Jan. 10 by Lenovo. Lenovo said there are no public exploits of the bug and its Cloud Network Operating System firmware is not impacted by the flaw.