Thursday, September 2, 2010

When bugs are forgotten

Last year, at HAR2009, there was a presentation about reverse engineering switch firmware. The researchers had found there is a backdoor password in some Accton-based switches (which are sold by several manufacturers, such as 3Com). It was a very nice piece of reverse engineering.

After the presentation I occasionally checked the manufacturer website to see when a patch would show up, but it never did. In fact the vulnerability was never picked up by the security community. I have a vulnerable device (a 3com 3812 gigabit switch) and started to complain. So here it is, more than a year later, a >365-day exploit.

It's hard to say which switches are vulnerable and which are not. It certainly doesn't mean that if you have a 3Com device it is vulnerable, but you can check yourself using the exploit code. Vulnerability scanners will start detecting it soon and time will tell I guess. In the meantime, you could disable all management interfaces and manage your switches using a console cable.