Dell PowerConnect vulnerability
Whilst trying to automate backups of our network device configuration I stumbled across a major disclosure vulnerability with Dell PowerConnect switches. Under the default configuration the running config if the switch can be downloaded without authenticating. Simply open a web browser and navigate to:
http://switch management IP/filesystem/running-config
I’ve tried writing back to the switches by posting data to /http_file_download.html with no success – Cookies are required for that. Still, with a copy of the encrypted root password it shouldn’t take long to get access with a good set of rainbow tables (See here for such a tool).
This is likely to effect most current Dell PowerConnect switches though I’ve only tested it on M6220 and 6248 switches running the latest firmware (3.1.3.9 blades / 3.2.1.3 on 6200).
If you have vulnerable PowerConnect switches in your environment I’d urge you to use ACLs to restrict management to a particular IP range or disable HTTP management altogether from the global configuration context:
console>en console#conf console(config)#no ip http server console(config)#ex console#copy running-config startup-config This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n) y Configuration Saved!
Dell are working on a fix.
Update:
- Older 2.x firmware versions on the 62xx series do not seem to be effected and just display a 404 page;
- Vulnerability has been confirmed on 62xx series devices running both 3.2.0.7 and 3.2.1.9 firmware releases;
- This does not effect the 54xx or 35xx series switches;
- As of 9th June 2011, Dell have escalated the problem to Broadcom. A fix is estimated in 3-4 weeks.
Hi Dave,
I am unable to reproduce this on a PowerConnect 5524 running the latest 4.0.1.0 firmware from April. Accessing the URL you specified just redirects to the login page.
Is anyone else able to confirm this on other hardware or firmware versions?
Hi Doug
Speaking to Dell, they reckon it effects about 50% of the PowerConnect range. What do the 55xx series run behind the scenes? Is there a “File Upload” option in the web interface under “File Management” ?
Dave
Yes there is a File Upload section. When I upload (err…download) the running config via HTTP and monitor the transfer with Fiddler, it accesses this URL:
ip.add.re.ss/csd28634b/config/runCfg.txt?rlCopyFreeHistoryIndex=13&&rlCopyDestinationFileType=2&&rlCopySourceFileName=Running%20Configuration&&rlCopySourceFileType=2
I am unable to to access that URL again, and definitely can’t do it without authenticating.
Must not effect the 5xxx devices then. Consider yourself lucky 🙂
Every 62xx device I’ve tested running any of the 3.x firmware releases is effected. I don’t believe 4.x is available for the 62xx series yet.
It seems it only affects L3 switches
did u get the reward that they offered for not publishing this ?
Dell have no vulnerability reward program like Google, Facebook etc.
did u get this from just a techie or from a senior manager that knows what it means to them.
i would think that TOP Senior management would care ??
maybe i am a bit too optimistic
When I discovered the vulnerability Dell first of all reproduced it on a series of switches. A technical account manager was then assigned, I jokingly asked if they had a program similar to Google and they confirmed Dell have no such policy.
pity. would have made you a nice trip somewhere hot 🙂
anyway , they will i am sure fix it in the next release , so its a moot point anyway
Just wanted to let you know that Dell teams are looking into the issue you’ve raised.
Thanks for flagging it.
Sincerely,
LionelatDell
Thanks Lionel, any idea when a fix is due? Last I heard was that Broadcom? were working on it, with a fix 3-4 weeks away.