Vulnerability Note VU#523027

LG-Nortel ELO GS24M Switch contains multiple vulnerabilities

Original Release date: 21 Mar 2012 | Last revised: 28 Mar 2012

Overview

The LG-Nortel ELO GS24M switch web management interface contains multiple vulnerabilities including; authentication bypass (CWE-592) and information exposure (CWE-200).

Description

The LG-Nortel ELO GS24M switch web management interface authentication can be bypassed by accessing URL's for configuration web pages directly. Web pages exist that can download the current device configuration that also includes credentials in cleartext.

Impact

A remote unauthenticated attacker may be able to operate and configure the device with the permissions of an administrator.

Solution

This product is considered end-of-life by the vendor and is no longer supported. Please consider the following workaround:

Restrict Access

Implement appropriate firewall rules to only allow trusted sources to access the web management interface of the device.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
LG-EricssonAffected19 Mar 201220 Mar 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.5 E:H/RL:U/RC:UC
Environmental 7.5 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Christopher Campbell for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: Unknown
  • Date Public: 21 Mar 2012
  • Date First Published: 21 Mar 2012
  • Date Last Updated: 28 Mar 2012
  • Severity Metric: 1.54
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.