Lenovo released a patch for a vulnerability introduced 14 years ago via a firmware update by the now-defunct Nortel Networks and its blade server and switch business unit.
The vulnerability CVE-2017-3765 is rated “high” and was linked to Lenovo's Enterprise Networking Operating System (ENOS) that was used in Lenovo and IBM RackSwitch and BladeCenter products.
If exploited, attackers could perform authentication bypass attacks via a mechanism called “HP Backdoor” that could ultimately grant an attacker admin privileges.
“An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service,” Lenovo said in a security advisory.
Users are advised to update to the latest firmware or Enable LDAP, RADIUS, or TACAS+ remote authentication, , disable the related “Backdoor” and “Secure Backdoor” local authentication fallback settings Disable Telnet and Restrict physical access to the serial console port.