Vulnerability Note VU#377915
SMC SMC8024L2 switch web interface authentication bypass
The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL.
The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI.
Examples of the configuration web pages include:
An unauthenticated attacker may be able to use administrative functions and manage the switch remotely.
We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SMC Networks, Inc.||Affected||22 May 2012||11 Jul 2012|
CVSS Metrics (Learn More)
Thanks to Elio Torrisi for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2012-2974
- Date Public: 11 Jul 2012
- Date First Published: 11 Jul 2012
- Date Last Updated: 11 Jul 2012
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.