The strange case of the 'HP backdoor' in Lenovo switches

Concern about government-mandated backdoors in technology products may be at an all-time high, but the recent discovery of an “HP backdoor” in Lenovo networking gear should prove equally alarming for the IT industry.

The computer maker last week issued a security advisory, LEN-16095, for an authentication bypass in Enterprise Networking Operating System (ENOS), the firmware that runs several of Lenovo’s networking switches. The vulnerability in question, according to Lenovo, could allow an attacker to gain access to the switch management interface and change setting that could expose traffic or cause denial of service.

That seems straightforward enough, but the advisory gets complicated in a hurry. Here’s how Lenovo laid it all out:

  • The authentication bypass mechanism in Lenovo’s ENOS software is known as “HP backdoor,” though the advisory doesn’t explain what that means.
  • The “HP backdoor” was discovered, according to Lenovo, during a security audit in the Telnet and Serial Console management interfaces and the SSH and web management interfaces “under certain limited and unlikely conditions.”
  • Lenovo said a “source code revision history audit” revealed the authentication bypass formerly known as “HP backdoor” has been hidden inside ENOS for quite a long time – since 2004, to be exact, when ENOS was part of Nortel Network’s Blade Server Switch Business Unit (BSSBU).
  • This is where it gets truly strange: The Lenovo security advisory, which at this point had moved firmly into CYA mode, drops this bomb: ” The [authentication bypass] mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.”
  • Lenovo – as if to shout at the top of its lungs “We are not responsible for this backdoor!” – painstakingly explains that Nortel owned ENOS at that time, then spun off BSSBU two years later as Blade Network Technologies (BNT), which was then acquired by IBM in 2010. Then in 2014, BNT, ENOS and the HP backdoor ended up in Lenovo’s lap after it acquired IBM’s x86 server business.
  • Lenovo said it has given “relevant source code” to a third-party security partner for an independent investigation of the authentication bypass, but the company doesn’t say who the partner is.
  • And finally – in case it wasn’t clear already that the ENOS backdoor is absolutely not Lenovo’s doing – the computer maker states for the record that such backdoors are “unacceptable to Lenovo and do not follow Lenovo product security or industry practices.” Lenovo’s reaction here is understandable considering some of the recent security issues like using hardcoded passwords and pre-installing Superfish adware on its systems.

By the time the security advisory is over, the fix for the ENOS backdoor – a firmware update that removes the authentication bypass mechanism – seems like an afterthought. And to be sure, the conditions required for this vulnerability to be exploited are indeed limited and unlikely, in Lenovo’s words (for example, SSH is only vulnerable for certain firmware released between May and June of 2004).

However, there are a number of questions, starting with:

  • Is the “HP backdoor” a reference to Hewlett-Packard? And is HP the unnamed BSSBU OEM customer that requested the backdoor access for ENOS? Again, Lenovo’s security advisory doesn’t say, but according to reports, HP was indeed a Nortel customer at that time. When asked for comment, Lenovo said “This is the name of the feature in the user interface, on the command line interface, hence the name.”
  • Why would Nortel build a ubiquitous authentication bypass into its networking operating system and undermine its security based on a customer request? Getting an answer to this one will be tough since Nortel was dissolved after declaring bankruptcy in 2009.
  • How did the backdoor go unnoticed by both IBM and Lenovo for several years while ENOS was part of their respective product families?
  • Were there any factors that led Lenovo to examine ENOS interfaces “under certain limited and unlikely conditions” nearly four years after Lenovo agreed to acquire IBM’s x86 server business? Lenovo replied, “This was part of a routine security audit.”
  • Was the source code audit that Lenovo performed to find the HP backdoor the first such audit the company had performed on ENOS? Lenovo said “HP Backdoor was found through new techniques added to our recurring internal product security assessments, the first time that these techniques were applied to ENOS.” However, it’s not entirely clear from the response if Lenovo did perform earlier source code audits for ENOS and simply missed an authentication bypass that literally has the word “backdoor” in it.

An authentication bypass in a legacy networking OS with narrow parameters isn’t exactly an urgent matter. But Lenovo’s security advisory does raise some serious issues. The tech community has collectively wrung its hands – with good reason – over government-mandated backdoors. Yet it’s abundantly clear that prominent vendors within that same community have been poking their own holes in product for decades. And those self-inflicted wounds become even more dangerous as the tech changes hands again and again over the years, with little if any security oversight.

It’s troubling to think that a single customer could lead a major technology company to install a potentially dangerous backdoor in a widely used product. And it’s even more troubling to wonder how many other vendors have done exactly that – and forgotten about the doors they opened up so many years ago.

Enterprise Desktop
Cloud Computing