Dell PowerConnect vulnerability

Whilst trying to automate backups of our network device configuration I stumbled across a major disclosure vulnerability with Dell PowerConnect switches. Under the default configuration the running config if the switch can be downloaded without authenticating. Simply open a web browser and navigate to:

http://switch management IP/filesystem/running-config

I’ve tried writing back to the switches by posting data to /http_file_download.html with no success – Cookies are required for that. Still, with a copy of the encrypted root password it shouldn’t take long to get access with a good set of rainbow tables (See here for such a tool).

This is likely to effect most current Dell PowerConnect switches though I’ve only tested it on M6220 and 6248 switches running the latest firmware (3.1.3.9 blades / 3.2.1.3 on 6200).



If you have vulnerable PowerConnect switches in your environment I’d urge you to use ACLs to restrict management to a particular IP range or disable HTTP management altogether from the global configuration context:

console>en console#conf console(config)#no ip http server console(config)#ex console#copy running-config startup-config This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n) y Configuration Saved!

Dell are working on a fix.

Update:

Older 2.x firmware versions on the 62xx series do not seem to be effected and just display a 404 page;

Vulnerability has been confirmed on 62xx series devices running both 3.2.0.7 and 3.2.1.9 firmware releases;

This does not effect the 54xx or 35xx series switches;

As of 9th June 2011, Dell have escalated the problem to Broadcom. A fix is estimated in 3-4 weeks.

Comments