Vulnerability Note VU#377915
SMC SMC8024L2 switch web interface authentication bypass
Original Release date: 11 Jul 2012 | Last revised: 11 Jul 2012
Overview
The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL.
Description
The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI. Examples of the configuration web pages include: |
Impact
An unauthenticated attacker may be able to use administrative functions and manage the switch remotely. |
Solution
We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds |
Restrict Access |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
SMC Networks, Inc. | Affected | 22 May 2012 | 11 Jul 2012 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.1 | E:POC/RL:U/RC:UC |
Environmental | 8.1 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- www.smc.com/index.cfm?event=viewProduct&cid=8&scid=44&localeCode=EN_USA&pid=1542
Credit
Thanks to Elio Torrisi for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2012-2974
- Date Public: 11 Jul 2012
- Date First Published: 11 Jul 2012
- Date Last Updated: 11 Jul 2012
- Document Revision: 14
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No