search menu icon-carat-right cmu-wordmark

CERT Coordination Center


LG-Nortel ELO GS24M Switch contains multiple vulnerabilities

Vulnerability Note VU#523027

Original Release Date: 2012-03-21 | Last Revised: 2012-03-28

Overview

The LG-Nortel ELO GS24M switch web management interface contains multiple vulnerabilities including; authentication bypass (CWE-592) and information exposure (CWE-200).

Description

The LG-Nortel ELO GS24M switch web management interface authentication can be bypassed by accessing URL's for configuration web pages directly. Web pages exist that can download the current device configuration that also includes credentials in cleartext.

Impact

A remote unauthenticated attacker may be able to operate and configure the device with the permissions of an administrator.

Solution

This product is considered end-of-life by the vendor and is no longer supported. Please consider the following workaround:

Restrict Access

Implement appropriate firewall rules to only allow trusted sources to access the web management interface of the device.

Vendor Information

523027
Expand all

LG-Ericsson

Notified:  March 19, 2012 Updated:  March 20, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.5 E:H/RL:U/RC:UC
Environmental 7.5 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Christopher Campbell for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 1.54
Date Public: 2012-03-21
Date First Published: 2012-03-21
Date Last Updated: 2012-03-28 12:16 UTC
Document Revision: 15

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.