How to remediate – Multiple Switch Vendors ‘__super’ Account Backdoor

Contents

1. Introduction

The Multiple Switch Vendors ‘__super’ Account Backdoor vulnerability allows unauthorised login to network switches using a default password. This poses a significant risk as it could allow complete control of affected devices. Systems commonly impacted are network switches from various vendors. Successful exploitation results in full compromise of confidentiality, integrity and availability of the switch.

2. Technical Explanation

Nessus can log into remote switches using the ‘__super’ username with a password derived from the switch’s MAC address. This account is likely built-in, cannot be disabled, and its password cannot be changed through normal means. An attacker knowing the switch’s MAC address could gain complete control of the device.

Root cause: The use of a predictable default credential based on hardware information.
Exploit mechanism: An attacker attempts to log in using the username ‘__super’ and a password generated from the switch’s MAC address.
Scope: Multiple network switches vendors are affected, specific models have not been identified.

3. Detection and Assessment

Confirming vulnerability requires checking for login attempts with the default credentials. A quick check involves reviewing recent authentication logs. Thorough assessment can be done using a vulnerability scanner.

Quick checks: Review switch logs for successful logins as the ‘__super’ user.
Scanning: Nessus plugin ID 42947 may detect this issue. Other scanners might have similar checks.
Logs and evidence: Check switch authentication logs for login attempts from the ‘__super’ account.

show logging | include "__super"

4. Solution / Remediation Steps

Currently, there is no known patch or fix available. The primary mitigation is to restrict access to affected devices.

4.1 Preparation

No services need stopping for this step, but plan a change window as network connectivity may be impacted by restrictions. A roll back plan is to restore the previous configuration.
Changes should be approved by the network security team.

4.2 Implementation

Step 1: Restrict access to the switch’s management interface using firewall rules. Allow only trusted IP addresses or networks.
Step 2: Disable any unused services on the switch, such as Telnet, if possible.
Step 3: Monitor the switch logs for any unauthorised login attempts.

4.3 Config or Code Example

Before

# No access restrictions configured

After

access-list 10 permit tcp any host  eq ssh
interface vlan 1
 ip address  
 ip access-group 10 in

4.4 Security Practices Relevant to This Vulnerability

Practices that reduce the impact of this vulnerability include least privilege and network segmentation.

Practice 1: Least privilege reduces the potential damage if an attacker gains access, limiting their ability to compromise other systems.
Practice 2: Network segmentation isolates switches from sensitive networks, reducing the blast radius of a successful attack.

4.5 Automation (Optional)

# Example Ansible playbook to restrict access via firewall
- name: Restrict switch access
  hosts: switches
  tasks:
    - name: Configure access list
      ios_config:
        lines:
          - access-list 10 permit tcp any host  eq ssh
        parents: interface vlan 1 # Adjust as needed

5. Verification / Validation

Verification involves confirming that the firewall rules are in place and preventing unauthorised login attempts. Re-test by attempting to log in with default credentials from an untrusted source. A smoke test should confirm normal network operation.

Post-fix check: Verify access list is configured correctly using `show running-config | include access-list`.
Re-test: Attempt login as ‘__super’ from an untrusted IP address; the attempt should be blocked by the firewall.
Smoke test: Confirm network connectivity and basic switch functionality (e.g., pinging devices).
Monitoring: Monitor switch logs for failed login attempts as the ‘__super’ user, indicating potential attacks.

show running-config | include access-list

6. Preventive Measures and Monitoring

Preventive measures include updating security baselines to enforce strong access controls. Regular patch reviews are also important.

Baselines: Update switch configuration baselines to require strong passwords or multi-factor authentication where available.
Asset and patch process: Review vendor security advisories regularly for new vulnerabilities and apply patches promptly.

7. Risks, Side Effects, and Roll Back

Restricting access could disrupt legitimate management traffic if not carefully planned. Incorrect firewall rules can cause network outages. Roll back involves removing the added firewall rules.

Risk or side effect 2: Network outage due to misconfigured firewall rules. Mitigation: Have a clear roll back plan and tested procedures.
Roll back: Remove the added access list entries using `no access-list 10 permit tcp any host eq ssh`.

8. References and Resources

Vendor advisory or bulletin: https://har2009.org/program/events/103.en.html
NVD or CVE entry: http://www.securityfocus.com/bid/42947
Product or platform documentation relevant to the fix: http://www.vettebak.nl/hak/

Updated on December 27, 2025

Was this article helpful?

Yes No