Vulnerability Note VU#377915

SMC SMC8024L2 switch web interface authentication bypass

Original Release date: 11 Jul 2012 | Last revised: 11 Jul 2012

Overview

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL.

Description

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI.

Examples of the configuration web pages include:

/status/status_ov.html      : name, SN, Management VLAN, Subnet Mask, Gateway IP, MAC Link status/Ethernet details of all ports
/system/system_smac.html    : MAC/VLANID static configuration
/ports/ports_rl.html        : Rate limiting
/ports/ports_bsc.html       : Storm control
/ports/ports_mir.html       : Port mirroring
/trunks/trunks_mem.html     : Trunks port membership
/trunks/lacp.html           : LACP port configuration
/trunks/lacpstatus.html     : LACP status
/vlans/vlan_mconf.html      : Defined VLANIDs overview
/vlans/vlan_pconf.html      : VLAN per port configuration
/qos/qos_conf.html          : 802.1p/DSCP QoS settings
/rstp/rstp.html             : RSTP configuration
/rstp/rstpstatus.html       : RSTP status
/dot1x/dot1x.html           : 802.1x configuration (Radius IP/port, RADIUS secret key, per port settings)
/security/security.html     : Static/DHCP per port IP address policy
/security/security_port.html: Per port MAC based IDS/IPS
/security/security_acl.html : Management ACL
/igmps/igmpconf.html        : IGMP Snooping/Querying configuration
/igmps/igmpstat.html        : IGMS Snoop status
/snmp/snmp.html             : SNMP configuration (Read/Trap community passwords)

Impact

An unauthenticated attacker may be able to use administrative functions and manage the switch remotely.

Solution

We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds

Restrict Access
Appropriate firewall rules should be enabled to limit access to only trusted users and sources.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SMC Networks, Inc.Affected22 May 201211 Jul 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:POC/RL:U/RC:UC
Environmental 8.1 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Elio Torrisi for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2974
  • Date Public: 11 Jul 2012
  • Date First Published: 11 Jul 2012
  • Date Last Updated: 11 Jul 2012
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.