
Backdoor Found in Lenovo RackSwitch and BladeCenter - linsomniac
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/
======
a2tech
Who wants to guess requested this backdoor be added?

A source code revision history audit revealed that this authentication bypass
mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server
Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added
at the request of a BSSBU OEM customer. Nortel spun BSSBU off in 2006 to form
BLADE Network Technologies (BNT). BNT was purchased by IBM in 2010, and,
subsequently, Lenovo in 2014.

~~~
thg
> Who wants to guess requested this backdoor be added?

It could actually have been added by malicious hackers.. Wikipedia entry[0]
reads like Nortel didn't really care about having had their systems completely
breached for a _decade_ , nor did they disclose that to any (prospective)
buyers of the company.

[0]:
[https://en.wikipedia.org/wiki/Nortel#Hackers_had_free_access...](https://en.wikipedia.org/wiki/Nortel#Hackers_had_free_access_for_years_without_being_detected)

------
dfox
This reads as similar problem as [https://www.exploit-
db.com/exploits/14875/](https://www.exploit-db.com/exploits/14875/) (which
impacts certain Dell switches)

What is somewhat relevant is that for most of these Accton switches exploiting
this vulnerability is the only way to perform factory reset of switch that you
don't know password for that does not involve paid out-of-warranty service. To
some extent I'm able to believe that this money-grab is the reason for
existence of the whole backdoor, only the manager who had this brilliant
bussines idea didn't expect that the password generator would get reverse
engineered.

~~~
mschuster91
What I don't get is: why not do it like HP? With some of their switch gear,
you can connect ports 1/2 via cable during powerup to trigger a reset, proving
ultimate control over the physical device. Other HP gear I use has a "clear
config" pinhole which together with the "reset" pinhole can be used to wipe
the password, the config or both.

Also, I remember that some years ago I read a story about a sysadmin who
locked down all networking equipment and some of it could actually not be
resetted and had to be a) serviced and b) completely reconfigured, leading to
significant cost...

~~~
dfox
Because you cannot collect money each time customer presses physical button
(or flips bit in confreg, which is cisco way of doing the same)

Best solution I've seen from the practicality standpoint is distinct "clear
password" button on HP ProCurves that you mention which works without power
cycling the switch (and thus downtime). Looping ports 1 and 2 which is used by
typical non-Accton chinese OEM switches seems like giant hack to me (which can
even happen by accident given right environment)

~~~
mschuster91
> Best solution I've seen from the practicality standpoint is distinct "clear
> password" button on HP ProCurves that you mention which works without power
> cycling the switch (and thus downtime).

No downtime == not detectable by monitoring. Port looping by accident is not a
problem - when it occurs during operation the network grinds to a halt _very_
quickly after the deed and the hellfire of flashing LEDs should show any
operator what is going on, and when it happens during power-up by accident
something has gone very wrong...

~~~
dogma1138
It is definitely detectable by monitoring.

And it can also be disabled, proliant servers also have or had since I didn’t
handled them for years a password bypass button for ILO/IPMI it and it was a
god send in some cases.

------
criddell
This is the CVE:

[https://nvd.nist.gov/vuln/detail/CVE-2017-3765](https://nvd.nist.gov/vuln/detail/CVE-2017-3765)

And this is Lenovo's page on the issue:

[https://support.lenovo.com/us/en/product_security/len-16095](https://support.lenovo.com/us/en/product_security/len-16095)

------
shmerl
_> The existence of mechanisms that bypass authentication or authorization are
unacceptable to Lenovo and do not follow Lenovo product security or industry
practices_

What about their own installation of spyware like Superfish[1] or even harder
to remove UEFI malware[2]? Apparently they are OK with doing it, when they do
it themselves.

1\.
[https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...](https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident)

2\.
[https://news.ycombinator.com/item?id=10039870](https://news.ycombinator.com/item?id=10039870)

~~~
iraklism
Not really sure why people are downvoting without providing their side of the
argument. Your point is valid.

------
Aloha
In my probably uneducated opinion, this sounds less like a backdoor, and more
like a bug.

~~~
JonnyNova
I disagree, that definitely sounds like something that could have been added.
It is very probable whoever had the joy of holding the legacy code support bag
after all the transitions had no idea this existed in it.

------
Simulacra
Will Lenovo always have the shadow of the Chinese government looming over it?
Is there a point in the future when the two might be disconnected?

~~~
JonnyNova
Nothing about this has anything to do with the Chinese government
specifically. This was introduced by Nortel, then perpetuated by IBM, then
eventually discovered by Lenovo.

