Data Centre

Networks

Lenovo inherited a switch authentication bypass – from Nortel

A long time ago, in a company far, far away …

By Richard Chirgwin

10 SHARE

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM's hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel.

The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at least 2004 – when ENOS was still under the hand of Nortel.

Lenovo's advisory says the issue “was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions”.

There are three vulnerable scenarios, the advisory said:

The “unlikely conditions” Lenovo referred to depend on which interface is potentially being attacked.

For SSH access, the management interface is only vulnerable if the system is running firmware created between May and June 2004; RADIUS and/or TACACS+ is enable; the related “backdoor / secure backdoor” local authentication fallback is enabled (in this case, “backdoor” refers to a RADIUS configuration setting); and finally, a RADIUS or TACACS+ timeout occurs.

The conditions for attacking the Web management interface are that the system suffers “an unlikely out-of-order execution condition (race condition) occurs, RADIUS or TACACS+ are enabled (as is the “backdoor / secure backdoor” local authentication fallback), and the RADIUS/TACACS+ timeout occurs.

Telnet and serial console attacks interfaces are vulnerable if LDAP, RADIUS or TACACS+ are all disabled. If any of these are enabled, the vulnerability only exists if authentication fallback is enabled and a RADIUS/TACACS+ timeout happens.

The advisory offers something of a potted history of the networking industry since Nortel's collapse: the authentication bypass was added in 2004, when code was written in response to a request from a Blade Server Switch Business Unit OEM customer (readers with long memories will recall that HP was a reseller of the switches, back in the day). In 2006, already deep in the series of scandals that eventually consumed the company, Nortel spun the switch business out to form a company called Blade Network Technologies. That company was acquired by IBM in 2010, and passed on to Lenovo in 2014. ®

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

More from The Register

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

NetApp takes slow boat to China: Inks deal with Lenovo on arrays, software

Setting up joint-venture to sell into Middle Kingdom

Official: IBM to gobble Red Hat for $34bn – yes, the enterprise Linux biz

Mainframe giant to try on open-source outfit

What's big, blue, and short on Intel? The supercomputer world's podium: USA tops Top500 with IBM Power9

Arm gets a look-in with first petascale machine, China slips into third

Arm cozies up to Intel for second time in a week – this time to borrow tools from Yocto Project for Mbed Linux

Aww, ain't that sweet

STIBP, collaborate and listen: Linus floats Linux kernel that 'fixes' Intel CPUs' Spectre slowdown

Meanwhile: Another kernel dev is 'unfscking' the source code, with predictable results

VMware and Lenovo are about to hit go-go on Project Dimension beta

Software-defined, hybrid cloud components, sold as-a-service that's delivered on-prem? WTF?

Scale Computing hauls in cash bundle from Lenovo and pals

Hyperconverged kid takes a cash injection

Finally a platform for train puns: IBM Halt station derailed

Halt – who goes there? No one, from now on

Lenovo superdishes not-so-superdosh for Superfish superloss: $40 waiting for you if you bought adware laptop

Class-action lawsuit payouts adds another $7.3m to bill for software slip-up