[NEWS] HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability

From: support@securiteam.com
Date: 09/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 24 Sep 2002 18:23:01 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability
------------------------------------------------------------------------

SUMMARY

The HP Procurve 4000M is an extremely common, managed switch, which
provides low-cost and scalable Ethernet switching. It is ideal for
medium-to-large businesses that desire a flexible platform for 10, 100,
and gigabit interfaces. In the 4000M's base configuration, the switch
ships with five of ten 'slots' populated with cards that contain 8 fast
Ethernet copper ports.

Under many circumstances, several 4000M chassis will be in operation at a
single site, or otherwise interconnected. Also common, would be a
situation where several switches are interconnected via 'trunked ports'
for link aggregation, or for VLAN extension to remote wiring closets.

In these examples, the administrator can enact specific features of the
4000M which allow any (or all) of the switches to be viewed through a
single administrative interface, anywhere on the internet, via a web
browser. We refer to the switches within this administrative group as a
'stack.'

There exists at least one vulnerability in this interface that allows an
attacker to reset a switch when it is a member of a 'stack' of switches
via a HTTP URL. This allows the attacker to arbitrarily and repeatedly
deny access to all switched ports of the stack member.

DETAILS

Vulnerable systems:
 * HP Procurve 4000M Switch (J4121A) Firmware revision C.09.13 (Current)

Severity:
Multiple reset requests may deny use of stacked switch entirely

Detailed Description:
The firmware handling the URL "http:// ADDRESS>/sw2/cgi/device_reset?"
allows the "device_reset?" command to be executed on member switches
without first checking to see if the source of the command is
authenticated. The IP address is the address that the administrator has
assigned to the designated "commander" switch for the stack. The "2"
denotes the stack member number (i.e. "sw2") or the second switch in the
stack.

Exploitation of this vulnerability and the resulting reset requests may
deny use of stacked switch entirely as the switch is repeatedly rebooted.

Neither the stacking features nor remote IP access features are enabled by
default. The administrator has the option of effectively disabling IP
support (see 'Recommendation' below) and may then administer the switch
via the device's rs-232 serial port.

At this time we are unaware of any other CGI's that do not verify
submitted commands against authorized users, however we believe it
reasonable to assume others may exist. It is also likely that other
switches, which utilize similar firmware, such as the 8000M, are also at
risk.

Vendor Response:
This issue was reported to Hewlett Packard by on August 28, 2002. On
September 11, 2002 posting of this vulnerability was delayed at HP's
request.

On 9/20/2002 HP asked that we include the following statement;

"Hewlett-Packard Company has released Security Bulletin number
HPSBUX0209-219 which recommends the following solution: Upgrade the switch
firmware [sic] to revision C.09.16 or newer, and be sure that a "manager
password" is being used. HPSBUX0209-219 may be found in the "Security
Bulletin archives" on <http://itrc.hp.com>."

As of this post, the patched firmware and security bulletin have not yet
been posted.

Our Recommendation:
Disable stacking features of all switches. If stacking features must be
enabled, prevent or restrict IP level access to the device by assigning
0.0.0.0 or private IP ranges.

If IP-level access must be available, then it is highly recommended that
IP access lists (where available) on the switches be utilized.
Additionally, placing the Switch's IP address(s) in a subnet apart from
those in use by other systems attached to the switch is ideal. It would be
best to disable both telnet and HTTP access.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugtraq@tech-serve.com>
Brook Powers, <mailto:tony@wi.engr.wisc.edu> Tony Kapela.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Summary of Microsoft compiler flaw discussions
    ... Cigital implied that Microsoft touted this new switch as a panacea to ... No "flaw" exists in Microsoft's new compiler. ... sense of security because it is easily defeated." ... attacks against code compiled with the new compiler. ...
    (NT-Bugtraq)
  • Re: National Security Backdoor in telnetd - all versions.
    ... > within the National Security field? ... >>sniffed when you have to reconfigure your switch from offsite. ... not government. ... The vendors themselves have been screaming about the export ...
    (comp.os.linux.security)
  • Re: Transport Mode IPSEC
    ... security with environment security. ... NFS server with an arp cache poison, ... If you correct the environment security, ... For example, you put in a decent managed switch, you ...
    (freebsd-questions)
  • RE: Rogue IP Address
    ... capability that you paid for when buying the switch, ... someone will holler about his network not working. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
    (Security-Basics)
  • Re: Password Coding On Form
    ... i am developing a switch board and want some secuirty on this switch ... The most secure way of controlling access and permissions is to apply ... user-level security. ...
    (microsoft.public.access.formscoding)