Lenovo found & removed backdoor in RackSwitch and BladeCenter Networking Switches

Recently, Lenovo engineers found backdoors in RackSwitch and BladeCenter network switch firmware. Earlier this week, the company has released a firmware update. Lenovo said it acquired an internal security audit of the acquired company’s firmware and found a backdoor after acquiring other companies.

Lenovo said the back door only affects RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). This backdoor was added to the ENOS system in 2004 when ENOS was maintained by Nortel Networks Blade Servers Switch Business Unit (BSSBU). Lenovo said Nortel Networks seems to have authorized “BSSBU OEM customers” to join the backdoor’s request. In the security advisory on this issue, Lenovo also mentioned a backdoor called “HP backdoor.”

In 2006, Nortel Networks closed the BSSBU business unit, which was transformed into BLADE Network Technologies (BNT), but the backdoor code still seems to be retained in the firmware.

Even in 2010, IBM acquired the BNT company, the back door still remains in the code. Until 2014, Lenovo acquired the IBM BNT product portfolio.

“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Firmware Updates New switches for the Lenovo brand are also available for older ENOS branded IBM switches that are still in circulation and operating in the market. Lenovo’s security bulletin also provides a list of switch products for firmware updates as well as download links to firmware updates.

In the meantime, Lenovo also said no backdoors were found in CNOS (cloud network operating system), so switches running the operating system are secure.

In fact, the back door, which is called HP backdoor, is not a hidden account, but a bypassing of the authorization mechanism and the ability to do it even under very tight conditions.

Through SSH, Telnet, web interface and serial console, RackSwitch and BladeCenter switches can support a variety of authentication methods. Hackers can take advantage of this backdoor and bypass authentication when the affected switch starts a variety of authentication mechanisms, or when security is turned on or off. However, if customers using these switches do not have immediate access to firmware updates, there are some mitigations that can be taken to prevent the back door from being started. This vulnerability number is CVE-2017-3765, follow-up will follow this number for further tracking.

Reference: securityaffairs