Lenovo issues patch for backdoored networking switches

Lenovo blames defunct Nortel for long-standing backdoor in Lenovo network switches

Lenovo has warned about an unknown backdoor in some of its networking equipment that could enable attackers to infiltrate corporate networks.

The company claims that the backdoor was originally inserted into the firmware of the equipment some 14 years ago when it was produced by the now-defunct Nortel Networks. Lenovo claims that it was done at the request of a customer.

Lenovo has released a firmware update for the RackSwitch and BladeCenter networking switches and urged users to install it as a matter of urgency.

By tapping into this vulnerability, an attacker could tamper with settings to expose traffic that travels through the switch in order to complete denial of service.

Engineers working for the firm uncovered the bug when they completed an internal audit of firmware issued for its products from recently acquired companies.

"An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service," said the firm in its security advisory.

In a security bulletin, Lenovo explained that the Rackswitch and BladeCenter are the only switches affected by the bug. They run on ENOS (Enterprise Network Operating System), with the flaw introduced into the operating system in 2004.

ENOS provides the firmware for a range of products, including IBM's RackSwitch and BladeCenter networking technologies, which have found their way into Lenovo's portfolio following its acquisition of the IBM server business.

According to Lenovo's security team, a hidden authentication bypass mechanism - dubbed "HP Backdoor"- has been found in Telnet and Serial Console management interfaces.

However, in certain circumstances, it also affected the SSH and Web management interfaces. The company said this was in "certain limited and unlikely conditions".

It continued: "This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted," said Lenovo.

Although IBM bought Blade Network Technologies (formerly Nortel) in 2010, the backdoor remained. But according to Lenovo, it's not easy to exploit. The flaw isn't present in Lenovo's Cloud Network Operating System (CNOS).

"Nortel spun BSSBU off in 2006 to form BLADE Network Technologies (BNT). BNT was purchased by IBM in 2010, and, subsequently, Lenovo in 2014," said the company.

It added that its latest patch will remove the backdoor. "Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it," it said.