Engineers at Chinese firm Lenovo have identified a backdoor in the networking switched namely Rackswitch and BladeCenter firmware. The company stated that the backdoor, referred to in the company’s security advisory (CVE-2017-3765) as “HP backdoor,” was discovered after carrying out an internal security audit of firmware for all the products featuring in its portfolio after acquisitions of other firms. It was revealed that the backdoor affects the above-mentioned networking switches’ Enterprise Network Operating System (ENOS).
Reportedly, ENOS received the backdoor in 2004, at the time it was maintained by Nortel’s Blade Server Switch Business Unit (BSSBU). Understandably, Lenovo is claiming that Nortel must have authorized the backdoor addition upon request of a “BSSBU OEM customer.” The backdoor code seems to have remained hidden in the firmware after the BSSBU was spun off by Nortel as BLADE Network Technologies (BNT) in 2006 and even after IBM acquired BNT in 2010, while Lenovo bought BNT portfolio from IBM in 2014.
For both the networking switches, Lenovo has released updates and has stated that the company never allows mechanisms that can bypass authentication or authorization or that doesn’t follow product security practices at Lenovo to exist.
“Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products,” explained Lenovo in its security advisory.
Researchers at Lenovo claim that the HP backdoor is difficult to exploit because it requires strict conditions for being implemented given that the backdoor isn’t a hidden account but merely an authentication bypassing method.
A variety of methods are supported by the abovementioned switches including Telnet, SSH, a serial console and a web-based interface. Exploitation of backdoor is possible only when affected switches have different authentication methods and security features turned on or off.
Updates for Lenovo but also IBM switches
The backdoor wasn’t identified in the Cloud Network Operating System (CNOS) hence, switches that run on CNOS are safe. Updates for both new switches that bear the brand name of Lenovo and for older IBM brand switches are available as these still run on ENOS. Lenovo’s security advisory also features a list of switches that have been updated as well as download links to the firmware.