Lenovo it found a “back door” in the IBM’s BNT network switch

Recently, Lenovo engineers found backdoors in RackSwitch and BladeCenter network switch firmware. Earlier this week, the company had released a firmware update. Lenovo said that after the acquisition of “other companies,” they conducted an internal security audit of the product firmware of the acquired company and found a back door.

The back door was implanted in 2004.

Lenovo said the backdoor only affects RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).

Lei Feng.com (Public No.: Lei Feng) found that this backdoor was added to the ENOS system in 2004 when ENOS was maintained by Nortel Networks’ Blade Server Switch Business Unit (BSSBU). Lenovo said that Nortel Networks seems to have authorized “BSSBU OEM customers” to join the back door. In the security consultation on this issue, Lenovo also mentioned a back door called “HP backdoor”.

In 2006, Nortel Networks shut down the BSSBU business unit, which was transformed into BLADE Network Technologies (BNT), but the backdoor code still seems to remain in the firmware.

Even after IBM acquired BNT in 2010, the back door remained in the code. Until 2014, Lenovo acquired IBM’s BNT product portfolio.

Release updates for Lenovo and IBM switches

Lenovo said:

“The existence of bypassing authentication or authorization mechanisms is unacceptable to Lenovo. This approach does not comply with Lenovo product security or industry practices. Lenovo has removed the backdoor from the ENOS source code and released firmware for affected products. Update.”

The firmware update applies to new Lenovo-branded switches and to ENOS legacy IBM branded switches that are still in circulation and running on the market. In Lenovo’s security bulletin, a list of switch products that get firmware updates, as well as download links for firmware updates, are also available.

At the same time, Lenovo also said that no related backdoors were found in CNOS (Cloud Network Operating System), so the switch running the operating system is secure.

The back door is difficult to use

In fact, the back door called “HP backdoor” is not a hidden account, but rather a bypass mechanism and can be operated even under very strict conditions.

RackSwitch and BladeCenter switches support a variety of authentication methods through SSH, Telnet, web interface, and serial console. When the affected switch initiates various authentication mechanisms or security features are turned on or off, hackers can take advantage of this backdoor and bypass authentication. However, if customers using these switches are unable to obtain firmware updates immediately, some mitigations can be taken to prevent the back door from being activated.