Lenovo Security Advisory: LEN-16095
**Potential Impact:**An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2017-3765
Summary Description:
ENOS, or Enterprise Network Operating System, is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches. An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions. This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted.
CNOS, or Cloud Network Operating System, firmware is not vulnerable to this issue.
These ENOS interfaces and authentication configurations are vulnerable to this issue:
Other interfaces and authentication configurations are not vulnerable to this issue:
A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer. Nortel spun BSSBU off in 2006 to form BLADE Network Technologies (BNT). BNT was purchased by IBM in 2010, and, subsequently, Lenovo in 2014.
Lenovo has provided relevant source code to a third-party security partner to enable independent investigation of the mechanism.
The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.
Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.
Mitigation Strategy for Customers (what you should do to protect yourself):
Upgrade to the ENOS firmware version described in the product impact section below.
If upgrading is not immediately possible, then the surest option is to do all the following:
If doing all this is not desired, it may be possible to do a more limited set of actions based on the specifics of your environment. The precise circumstances for the vulnerability are:
SSH management interfaces are vulnerable if:
Note: LDAP is not vulnerable for these interfaces
Note: Local-only authentication is not vulnerable for these interfaces
Web management interfaces are vulnerable if:
Note: LDAP is not vulnerable for these interfaces
Note: Local-only authentication is not vulnerable for these interfaces
Telnet and Serial Console management interfaces are vulnerable if:
For clarity, references to “Backdoor” and “Secure Backdoor” in the Mitigation Strategy for Customers section refer to local authentication fallback mechanisms and not the authentication bypass mechanism described in this advisory. “Backdoor” in the authentication fallback context is an industry standard term used when configuring RADIUS and TACACS+.