Backdoor access discovered on IBM System Networking Switches
Backdoor access discovered on IBM System Networking Switches
Vulnerability Details:
CVEID: CVE-2014-4752
Descriptoin:
It has been reported that the firmware that runs on some of the IBM System Networking Switches have certain backdoor access login username/password combinations which are hard-coded and not changeable. These could result in potential vulnerabilities.
CVSS Base Score: 10.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Product Description | Affected Firmware Version # |
---|---|
IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch | All Versions Prior to 7.8.6.0 |
IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch | All Versions Prior to 7.8.6.0 |
IBM Flex System Fabric SI4093 System Interconnect Module | All Versions Prior to 7.8.6.0 |
IBM 10G VFSM for Bladecenter | All Versions Prior to 7.8.14.0 |
IBM Flex System EN2092 1Gb Ethernet Scalable Switch | All Versions Prior to 7.8.6.0 |
IBM 1:10G switch for Bladecenter | All Versions Prior to 7.4.8.0 |
IBM Flex System Interconnect Fabric | All Versions Prior to 21.0.21.0 |
IBM 1G switch for Bladecenter | All Versions Prior to 5.3.5.0 |
IBM Server Connectivity Module | All Versions Prior to 1.1.3.4 |
IBM System Networking RackSwitch G8052 | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8124 | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8124-E | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8124-ER | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8264 | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8316 | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8264CS | All Versions Prior to 7.8.6.0 |
IBM System Networking RackSwitch G8264-T | All Versions Prior to 7.9.10.0 |
IBM System Networking RackSwitch G8332 | All Versions Prior to 7.7.17.0 |
IBM System Networking RackSwitch G8000 | All Versions Prior to 7.1.7.0 |
Removed all hard-coded/non-changeable login username/password accesses from switch firmware
Product Description | Fixes |
---|---|
IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch | 7.8.6.0, 7.7.19.0 Available on FixCentral |
IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch | 7.8.6.0, 7.7.19.0 Available on FixCentral |
IBM Flex System Fabric SI4093 System Interconnect Module | 7.8.6.0, 7.7.19.0 Available on FixCentral |
IBM 10G VFSM for Bladecenter | 7.8.14.0, 7.7.5.0, 6.8.18.0 Available on FixCentral |
IBM Flex System EN2092 1Gb Ethernet Scalable Switch | 7.8.6.0, 7.7.19.0 Available on FixCentral |
IBM 1:10G switch for Bladecenter | 7.4.8.0, 6.8.18.0 Available on FixCentral |
IBM Flex System Interconnect Fabric | 7.8.6.0 Available on FixCentral |
IBM 1G L2-7 SLB switch for Bladecenter | 21.0.21.0 Available on FixCentral |
IBM 1G switch for Bladecenter | 5.3.5.0 Available on FixCentral |
IBM Server Connectivity Module | 1.1.3.4 Available on FixCentral |
IBM System Networking RackSwitch G8052 | 7.9.10.0, 7.8.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8124 | 7.9.10.0, 7.7.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8124-E | 7.9.10.0, 7.7.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8124-ER | 7.9.10.0, 7.7.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8264 | 7.9.10.0, 7.8.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8316 | 7.9.10.0, 7.8.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8264CS | 7.8.6.0, 7.7.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8264-T | 7.9.10.0, 7.8.15.0 Available on FixCentral |
IBM System Networking RackSwitch G8332 | 7.7.17.0 Available on FixCentral |
IBM System Networking RackSwitch G8000 | 7.1.7.0 Available on FixCentral |
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
7 August, 2014: Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.