Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates earlier this week.
The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies.
Backdoor added in 2004
Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).
The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel’s Blade Server Switch Business Unit (BSSBU).
Lenovo claims Nortel appears to have authorized the addition of the backdoor “at the request of a BSSBU OEM customer.” In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of “HP backdoor.”
The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT).
The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM’s BNT portfolio in 2014.
Updates released for Lenovo and IBM switches
“The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices,” Lenovo said. “Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”
Updates are available for both newer switches wearing the Lenovo branding, but also for older IBM-branded switches still in circulation and running ENOS. A list of switches that received firmware updates, along with download links for the firmware, are available in a Lenovo security advisory.
Lenovo said the backdoor is not found in the CNOS (Cloud Network Operating System), so switches running this OS are safe.
Backdoor is hard to exploit
The so-called “HP backdoor” is not a hidden account, but an authentication bypass mechanism that occurs under very strict conditions.
RackSwitch and BladeCenter switches support various authentication methods, via SSH, Telnet, a web-based interface, and a serial console.
An attacker can exploit this backdoor and bypass authentication when affected switches have various authentication mechanisms and security features turned on or off. Lenovo describes the various configurations in which the backdoor becomes active in the aforementioned security advisory.
If customers using these switches can’t update right away, there are mitigations they can apply and prevent the backdoor from activating.
This issue is tracked under the CVE-2017-3765 identifier.