search menu icon-carat-right cmu-wordmark

CERT Coordination Center


SMC SMC8024L2 switch web interface authentication bypass

Vulnerability Note VU#377915

Original Release Date: 2012-07-11 | Last Revised: 2012-07-11

Overview

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL.

Description

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI.

Examples of the configuration web pages include:

/status/status_ov.html      : name, SN, Management VLAN, Subnet Mask, Gateway IP, MAC Link status/Ethernet details of all ports
/system/system_smac.html    : MAC/VLANID static configuration
/ports/ports_rl.html        : Rate limiting
/ports/ports_bsc.html       : Storm control
/ports/ports_mir.html       : Port mirroring
/trunks/trunks_mem.html     : Trunks port membership
/trunks/lacp.html           : LACP port configuration
/trunks/lacpstatus.html     : LACP status
/vlans/vlan_mconf.html      : Defined VLANIDs overview
/vlans/vlan_pconf.html      : VLAN per port configuration
/qos/qos_conf.html          : 802.1p/DSCP QoS settings
/rstp/rstp.html             : RSTP configuration
/rstp/rstpstatus.html       : RSTP status
/dot1x/dot1x.html           : 802.1x configuration (Radius IP/port, RADIUS secret key, per port settings)
/security/security.html     : Static/DHCP per port IP address policy
/security/security_port.html: Per port MAC based IDS/IPS
/security/security_acl.html : Management ACL
/igmps/igmpconf.html        : IGMP Snooping/Querying configuration
/igmps/igmpstat.html        : IGMS Snoop status
/snmp/snmp.html             : SNMP configuration (Read/Trap community passwords)

Impact

An unauthenticated attacker may be able to use administrative functions and manage the switch remotely.

Solution

We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds

Restrict Access
Appropriate firewall rules should be enabled to limit access to only trusted users and sources.

Vendor Information

377915
Expand all

SMC Networks, Inc.

Notified:  May 22, 2012 Updated:  July 11, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The SMC8024L2 switch is end-of-life and not supported by the vendor.

Vendor References

http://www.smc.com/index.cfm?event=viewProduct&cid=8&scid=44&localeCode=EN_USA&pid=1542

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:POC/RL:U/RC:UC
Environmental 8.1 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Elio Torrisi for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2974
Date Public: 2012-07-11
Date First Published: 2012-07-11
Date Last Updated: 2012-07-11 17:35 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.