| CVE編號 | cve-2017-3765 |
|---|---|
| 影響產品 | ENOS 8.4.6.0以前版本 |
| 解決辦法 | (1)Lenovo Flex System Fabric及RackSwitch於下列網址下載更新:https://datacentersupport.lenovo.com/downloads/DS501023 https://datacentersupport.lenovo.com/downloads/DS501019 https://datacentersupport.lenovo.com/downloads/DS501020 https://datacentersupport.lenovo.com/downloads/DS501021 https://datacentersupport.lenovo.com/downloads/DS501018 https://datacentersupport.lenovo.com/downloads/DS501014 https://datacentersupport.lenovo.com/downloads/ds500977 https://datacentersupport.lenovo.com/downloads/DS501016 https://datacentersupport.lenovo.com/downloads/DS501015 https://datacentersupport.lenovo.com/downloads/DS501009 https://datacentersupport.lenovo.com/downloads/DS501012 https://datacentersupport.lenovo.com/downloads/DS501010 https://datacentersupport.lenovo.com/downloads/DS501008 (2)IBM Flex BladeCenter、System Fabric、RackSwitch於下列網址下載更新: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_en4093r-7.8.18.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_cn4093-7.8.18.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_si4093-7.8.18.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8724&fixids=ibm_fw_scsw_si4093-7.8.18.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=nt_fw_bcsw_l27-21.0.26.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8852&fixids=ibm_fw_bcsw_24-10g-7.8.14.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=ibm_fw_bcsw_110gup-7.4.18.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2Fsystemx%2F8886&fixids=ibm_fw_bcsw_l23-5.3.12.0_anyos_noarch&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8264CS&fixids=G8264CS_Image_7.8.18.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8264&fixids=G8264_Image_7.11.11.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8052R%2CF+G8264R%2CF&fixids=G8052_Image_7.11.11.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8332&fixids=G8332_Image_7.7.27.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8124&fixids=G8124_G8124E_Image_7.11.11.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+RackSwitch+G8264T&fixids=G8264T_Image_7.9.21.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+System+Networking+RackSwitch+G8316&fixids=G8316_Image_7.9.21.0&source=SAR http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FSystems_Networking%2FIBM+BNT+RackSwitch+G8124&fixids=G8124_G8124E_Image_7.11.11.0&source=SAR |
| 張貼日 | 2018-01-27 |
| 上稿單位 | TWCERT/CC |
●概述:
14年前被埋入Enterprise Networking Operating System的後門HP backdoor,隨著二度企業併購,影響到既有Lenovo和IBM廠牌多型號網路設備,若未使用LDAP、RADIUS、TACAS+等遠端驗證功能,或者啟動Backdoor與Secure Backdoor相關設定,則成立特殊後門條件,讓攻擊者能經由serial console、Telnet、SSH、Web等一般介面,bypass身分驗證而獲得高階權限,恐干擾交換器出入流量且形成當機,聯想已就各款設備提供韌體更新。
●編註:
(1)事件背景
顧名思義,Enterprise Networking Operating System (ENOS)就是操縱網路設備的作業系統,起初開發該韌體的公司Nortel’s Blade Server Switch Business Unit (BSSBU),2004年5至7月在OEM夥伴要求下,將某個避開身分驗證的後門埋進ENOS內,2006年業務分配給BLADE Network Technologies (BNT)公司,其後BNT於2010年被IBM收購,2014年被Lenovo併購迄今,後門隱匿14年,如今被檢驗披露,稱作HP backdoor。
(2)後門特性
HP backdoor在特定條件下,能使駭客迴避驗證機制且取得管理級使用權,讓switch異常放行不合理流量,恐造成設備DoS。既然有身分驗證,必經由正常介面為之,如「serial console」、「Telnet」、「SSH」、「Web」,欲堵住後門,則須解除特定條件,設定如後:
(2-1)啟用LDAP、RADIUS、TACAS+三種遠端驗證功能,
終端存取控制系統(TACACS+:Terminal Access Controller Access-Control System Plus)、
遠端用戶撥入驗證服務(RADIUS:Remote Authentication Dial In User Service)、
輕型目錄存取協定(LDAP:Lightweight Directory Access Protocol)。
(2-2)停用「Backdoor」與「Secure Backdoor」相關設定,在此Backdoor並非意指駭客手段,而是一種標準工業術語,在設定RADIUS、TACAS+時用得到,可控制本機身分驗證撤回與否。
(2-3)停用Telnet。
(2-4)禁止serial console port實體連線。
(3)影響設備
Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch
Lenovo Flex System Fabric EN4093R 10Gb Scalable Switch
Lenovo Flex System Fabric SI4093 10Gb System Interconnect Module
Lenovo Flex System SI4091 System Interconnect Module
Lenovo RackSwitch G7028 (ThinkAgile CX2200)
Lenovo RackSwitch G7052 (ThinkAgile CX4200/CX4600)
Lenovo RackSwitch G8052
Lenovo RackSwitch G8124E (ThinkAgile CX2200)
Lenovo RackSwitch G8264
Lenovo RackSwitch G8264CS
Lenovo RackSwitch G8272 (ThinkAgile CX4200/CX4600)
Lenovo RackSwitch G8296
Lenovo RackSwitch G8332
IBM Flex System™ Fabric EN4093/EN4093R 10Gb Scalable Switch
IBM Flex System™ Fabric CN4093 10Gb Converged Scalable Switch
IBM Flex System™ Fabric SI4093 10Gb System Interconnect Module
IBM Flex System EN2092 1Gb Ethernet Scalable Switch
IBM 1G L2-7 SLB switch for Bladecenter
IBM BladeCenter Virtual Fabric 10Gb Switch Module
IBM Bladecenter 1:10G Uplink Ethernet switch Module
IBM BladeCenter Layer 2/3 Copper Ethernet Switch Module
IBM RackSwitch G8264CS
IBM RackSwitch G8264
IBM RackSwitch G8052
IBM Rackswitch G8332
IBM RackSwitch G8124E
IBM RackSwitch G8264T
IBM RackSwitch G8316
IBM RackSwitch G8124