Dell PowerConnect vulnerability
Whilst trying to automate backups of our network device configuration I stumbled across a major disclosure vulnerability with Dell PowerConnect switches. Under the default configuration the running config if the switch can be downloaded without authenticating. Simply open a web browser and navigate to:
http://switch management IP/filesystem/running-config
I’ve tried writing back to the switches by posting data to /http_file_download.html with no success – Cookies are required for that. Still, with a copy of the encrypted root password it shouldn’t take long to get access with a good set of rainbow tables (See here for such a tool).
This is likely to effect most current Dell PowerConnect switches though I’ve only tested it on M6220 and 6248 switches running the latest firmware (220.127.116.11 blades / 18.104.22.168 on 6200).
If you have vulnerable PowerConnect switches in your environment I’d urge you to use ACLs to restrict management to a particular IP range or disable HTTP management altogether from the global configuration context:
console>en console#conf console(config)#no ip http server console(config)#ex console#copy running-config startup-config This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n) y Configuration Saved!
Dell are working on a fix.
- Older 2.x firmware versions on the 62xx series do not seem to be effected and just display a 404 page;
- Vulnerability has been confirmed on 62xx series devices running both 22.214.171.124 and 126.96.36.199 firmware releases;
- This does not effect the 54xx or 35xx series switches;
- As of 9th June 2011, Dell have escalated the problem to Broadcom. A fix is estimated in 3-4 weeks.