Software Engineering Institute

The SMC8024L2 switch does not require authentication for the web interface configuration pages if they are visited with a direct URL. An unauthenticated attacker can retrieve all configuration pages from the web management GUI.

Examples of the configuration web pages include:

/status/status_ov.html      : name, SN, Management VLAN, Subnet Mask, Gateway IP, MAC Link status/Ethernet details of all ports
/system/system_smac.html    : MAC/VLANID static configuration
/ports/ports_rl.html        : Rate limiting
/ports/ports_bsc.html       : Storm control
/ports/ports_mir.html       : Port mirroring
/trunks/trunks_mem.html     : Trunks port membership
/trunks/lacp.html           : LACP port configuration
/trunks/lacpstatus.html     : LACP status
/vlans/vlan_mconf.html      : Defined VLANIDs overview
/vlans/vlan_pconf.html      : VLAN per port configuration
/qos/qos_conf.html          : 802.1p/DSCP QoS settings
/rstp/rstp.html             : RSTP configuration
/rstp/rstpstatus.html       : RSTP status
/dot1x/dot1x.html           : 802.1x configuration (Radius IP/port, RADIUS secret key, per port settings)
/security/security.html     : Static/DHCP per port IP address policy
/security/security_port.html: Per port MAC based IDS/IPS
/security/security_acl.html : Management ACL
/igmps/igmpconf.html        : IGMP Snooping/Querying configuration
/igmps/igmpstat.html        : IGMS Snoop status
/snmp/snmp.html             : SNMP configuration (Read/Trap community passwords)

An unauthenticated attacker may be able to use administrative functions and manage the switch remotely.

We are currently unaware of a practical solution to this problem. The vendor has stated this product is end-of-life and not supported. Please consider the following workarounds

Restrict Access
Appropriate firewall rules should be enabled to limit access to only trusted users and sources.