Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products

Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products

Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products

Lenovo Security Advisory: LEN-16095

Potential Impact:  An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2017-3765

Summary Description:

ENOS, or Enterprise Network Operating System, is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches. An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions. This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted.

CNOS, or Cloud Network Operating System, firmware is not vulnerable to this issue.

These ENOS interfaces and authentication configurations are vulnerable to this issue:

  • Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
  • Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
  • SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used

Other interfaces and authentication configurations are not vulnerable to this issue:

  • SSH in firmware released after June 2004 are not vulnerable
  • SSH and Web using only local authentication are not vulnerable
  • SSH, Web, Telnet, and Serial Console using LDAP, RADIUS, or TACACS+ without use of local authentication fallback are not vulnerable
  • Other management interfaces, such as SNMP, are not vulnerable

A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.  Nortel spun BSSBU off in 2006 to form BLADE Network Technologies (BNT). BNT was purchased by IBM in 2010, and, subsequently, Lenovo in 2014.

Lenovo has provided relevant source code to a third-party security partner to enable independent investigation of the mechanism.

The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.

Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.

Mitigation Strategy for Customers (what you should do to protect yourself):

Upgrade to the ENOS firmware version described in the product impact section below.

If upgrading is not immediately possible, then the surest option is to do all the following:

  • Enable LDAP, RADIUS, or TACAS+ remote authentication AND
  • For any of LDAP, RADIUS, or TACAS+ that are enabled, disable the related “Backdoor” and “Secure Backdoor” local authentication fallback settings AND
  • Disable Telnet AND
  • Restrict physical access to the serial console port

If doing all this is not desired, it may be possible to do a more limited set of actions based on the specifics of your environment. The precise circumstances for the vulnerability are:

SSH management interfaces are vulnerable if:

  • ENOS firmware being used was created between May 2004 and June 2004 AND
  • One or more of RADIUS or TACAS+ is enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND a RADIUS or TACAS+ authentication timeout occurs
     

Note: LDAP is not vulnerable for these interfaces

Note: Local-only authentication is not vulnerable for these interfaces

Web management interfaces are vulnerable if:

  • An unlikely internal out of order execution condition (race condition) occurs AND
  • One or more of RADIUS or TACAS+ is enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND a RADIUS or TACAS+ authentication timeout occurs
     

Note: LDAP is not vulnerable for these interfaces

Note: Local-only authentication is not vulnerable for these interfaces

Telnet and Serial Console management interfaces are vulnerable if:

  • LDAP, RADIUS, and TACAS+ are all disabled OR
  • One or more of LDAP, RADIUS, or TACAS+ are enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND an LDAP, RADIUS, or TACAS+ authentication timeout occurs

For clarity, references to “Backdoor” and “Secure Backdoor” in the Mitigation Strategy for Customers section refer to local authentication fallback mechanisms and not the authentication bypass mechanism described in this advisory.  “Backdoor” in the authentication fallback context is an industry standard term used when configuring RADIUS and TACACS+.

 

Product Impact:

Lenovo Switches

IBM Switches

 

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

Date

Description

3 02/22/2018 Added IBM Rackswitch G8000
2 01/11/2018 Initial release included draft text.  Updated body of the advisory with final draft.

1

01/09/2018

Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

Lenovo Switches

Product  Status  Minimum Version Required to Fix  Link to Update
Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501023 
Lenovo Flex System Fabric EN4093R 10Gb Scalable Switch  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501019 
Lenovo Flex System Fabric SI4093 10Gb System Interconnect Module  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501020 
Lenovo Flex System SI4091 System Interconnect Module  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501021 
Lenovo Rack Switch G8272-CNOS  Not Affected     
Lenovo RackSwitch G8332-CNOS  Not Affected     
Lenovo RackSwitch G7028 (ThinkAgile CX2200)  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501018 
Lenovo RackSwitch G7052 (ThinkAgile CX4200/CX4600)  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501014 
Lenovo RackSwitch G8052  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/ds500977 
Lenovo RackSwitch G8124E (ThinkAgile CX2200)  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501016 
Lenovo RackSwitch G8264  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501015 
Lenovo RackSwitch G8264CS  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501009 
Lenovo RackSwitch G8272 (ThinkAgile CX4200/CX4600)  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501012 
Lenovo RackSwitch G8296  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501010 
Lenovo RackSwitch G8296-CNOS  Not Affected     
Lenovo RackSwitch G8332  Affected  8.4.6.0  https://datacentersupport.lenovo.com/downloads/DS501008 

<back to top>

 

IBM Switches

 

Product  Status  Minimum Version Required to Fix  Link to Update
IBM 1G L2-7 SLB switch for Bladecenter  Affected  21.0.26.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=nt_fw_bcsw_l27-21.0.26.0_anyos_noarch&source=SAR 
IBM Bladecenter 1:10G Uplink Ethernet switch Module  Affected  7.4.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=ibm_fw_bcsw_110gup-7.4.18.0_anyos_noarch&source=SAR 
IBM BladeCenter Layer 2/3 Copper Ethernet Switch Module  Affected  5.3.12.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=ibm_fw_bcsw_l23-5.3.12.0_anyos_noarch&source=SAR 
IBM BladeCenter Virtual Fabric 10Gb Switch Module  Affected  7.8.14.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8852&fixids=ibm_fw_bcsw_24-10g-7.8.14.0_anyos_noarch&source=SAR 
IBM Flex System EN2092 1Gb Ethernet Scalable Switch  Affected  7.8.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_en2092-7.8.18.0_anyos_noarch&source=SAR 
IBM Flex System™ Fabric CN4093 10Gb Converged Scalable Switch  Affected  7.8.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_cn4093-7.8.18.0_anyos_noarch&source=SAR 
IBM Flex System™ Fabric EN4093/EN4093R 10Gb Scalable Switch  Affected  7.8.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_en4093r-7.8.18.0_anyos_noarch&source=SAR 
IBM Flex System™ Fabric SI4093 10Gb System Interconnect Module  Affected  7.8.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_si4093-7.8.18.0_anyos_noarch&source=SAR 
IBM RackSwitch G8000  Affected  7.1.15 https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8000&fixids=G8000_Image_7.1.15.0&source=SAR&function=fixId&parent=Ethernet%20switches
IBM RackSwitch G8052  Affected  7.11.11.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8052R%2CF+G8264R%2CF&fixids=G8052_Image_7.11.11.0&source=SAR 
IBM RackSwitch G8124  Affected  7.11.11.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8124&fixids=G8124_G8124E_Image_7.11.11.0&source=SAR 
IBM RackSwitch G8124E  Affected  7.11.11.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8124&fixids=G8124_G8124E_Image_7.11.11.0&source=SAR 
IBM RackSwitch G8264  Affected  7.11.11.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8264&fixids=G8264_Image_7.11.11.0&source=SAR 
IBM RackSwitch G8264CS  Affected  7.8.18.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8264CS&fixids=G8264CS_Image_7.8.18.0&source=SAR 
IBM RackSwitch G8264T  Affected  7.9.21.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8264T&fixids=G8264T_Image_7.9.21.0&source=SAR 
IBM RackSwitch G8316  Affected  7.9.21.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+System+Networking+RackSwitch+G8316&fixids=G8316_Image_7.9.21.0&source=SAR 
IBM Rackswitch G8332  Affected  7.7.27.0  http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8332&fixids=G8332_Image_7.7.27.0&source=SAR 

<back to top>


別名 Id:LEN-16095
文件ID:PS500154
原始發布日期:01/09/2018
Last Modified Date:02/22/2018