A few days ago I posted an article that was circulating regarding a backdoor in to Accton based switches. You can read that post here. Shortly after, a person by the name of “CK”, who apparently works for the vendor, responded with the company’s side of the story.
I then issued my response, and CK commented with the steps to take to help to secure your router/switch that is vulnerable to this backdoor. Thanks CK!
Here’s the exchange plus the fix:
hi, Matt,
Thanks for bringing up this security issue.
In order to help customer who forgot the password and doesn’t want to loss the configuration to login the switch to change the existing password. So we provided this mechanism if customer provide us the MAC address of the his switch, we will generate a unique password for such switch for him/her. It is regret the it come out to be a security issue.Last year, when we received this information that somebody break the algorithm, we had already changed our firmware so that this password can’t be used via Telnet, Web etc protocol via network. Only when the administrator can physically reach the switch via console login, then this password is valid.
Some of the switches which had been phased out may still have the problem, If any customer has such concern, please contact us, we will take the full responsibility to help him/her fix the problem.
Thanks again for your attention to prevent people using our switches from being attack. It is also our responsibility. Should you have any suggestion or comment, please feel free to contact me.
Best Regards
C.K.NG
@CK: I understand your argument, but my take is this:
If, say, 2% of your customer base forget their passwords and have to reset their devices and start from scratch, why would you put the other 98% of your customer base at risk for getting owned? Personally, if I ran one of your routers/switches/whatever and found out that I had lost trade secrets or valuable information due to a hole that your company intentionally put in to my router/switch, you would have a lawsuit on your hands.
It is not your responsibility to provide a way for your customers to log in to their device if they’ve forgotten their password. If they’ve made the mistake of setting a password and not documenting it, remembering it, something, that is not your company’s issue – it’s theirs. And, if they have to reset their router/switch as a result of their carelessness, maybe the task of reconfiguring the router will make them be a little more diligent the next time.
All of us have forgotten our passwords to something at some point in our lives. I’ve hit the “reset” button on many devices in my day due to not having documented a password. This is my own fault and I accept that.
Dear Matt,
Thanks for your comment, you are absolutely correct. but it also showed that our company is care about customer, even they are the 2%.Anyway I think if customer use the switch properly, it won’t be attacked by the super password issue.
Firstly, normally customer will separate the user vlan from management vlan, so user can reach the switch.
Secondary, even if user and switch in the same vlan (subnet), or the management vlan can be accessed by routing, we still have a way to prevent switch from attack,
by using the command showing below, only specified management IP can access the switch.
Console#config
Console(config)#management ?
all-client Adds IP addresses to SNMP, Web and Telnet groups
http-client Adds IP addresses to the Web group
snmp-client Adds IP addresses to the SNMP group
telnet-client Adds IP addresses to the Telnet group
Console(config)#management all-client ?
A.B.C.D Starts IP address
Console(config)#management all-client 192.168.1.1 ?
A.B.C.D Ends IP addressConsole(config)#management all-client 192.168.1.1 192.168.1.10
only IP address within 192.168.1.1-10 can access the switch via telnet, http, snmp or all
using this way, user also can’t get mac of the switch via SNMP
Please comment if it address your connern. Thanks.
Please also don’t forget to change the default username and password
Console(config)#no username guest
Console(config)#no username admin
Console(config)#username ck_ng password 0 Support
Console(config)#enable password level 15 0 SupportFrom log you can also see who is login to the switch
Console#sh log ram
[488] 02:11:09 2001-01-01
“LoginSuccess,__super,WEB,10.2.32.162″[20] 00:11:58 2001-01-01
“LoginSuccess,ck_ng,Console,10.2.4.21″
level: 6, module: 5, function: 1, and event no.: 1[18] 00:11:34 2001-01-01
“LoginFailure,guest,Console,10.2.4.21″[15] 00:09:29 2001-01-01
“LoginFailure,admin,Console,10.2.4.21″
level: 6, module: 5, function: 1, and event no.: 1
Thank you CK for providing us with a workaround. I’m sure there are a lot of people who run Accton based switches that will find this information useful.
Related posts:
Its a shame the people that originally discovered and reported the bug didn’t get any feedback from Accton what so ever..
@ano: I agree.. they should have. In fact, Accton should have published an official statement giving their side. I still don’t agree with their reasoning, but it was nice to get something out of them.
[...] Accton Switches Backdoor – Vendor Response – Here we go again, a gaping security hole put into a product in the name of user friendliness. I think this is a lame excuse. If your product is well designed and documented, you should not have to put a security hole in it to make it usable. [...]