The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL.
The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI.
Examples of the configuration web pages include:
An unauthenticated attacker may be able to use administrative functions and manage the switch remotely.
We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds
SMC Networks, Inc.
Thanks to Elio Torrisi for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2012-07-11|
|Date Last Updated:||2012-07-11 17:35 UTC|