HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability
From: Brook Powers (bugtraq@tech-serve.com)Date: 09/24/02
- Previous message: Tim Vandermeersch: "PHP source injection in phpWebSite"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Sep 2002 22:13:41 -0400 To: bugtraq@lists.securityfocus.com From: Brook Powers <bugtraq@tech-serve.com>
Techserve, Inc.
www.tech-serve.com
Security Advisory
Advisory Name: HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability
Release Date: 09/23/2002
Platform: HP Procurve 4000M Switch (J4121A)
Application: Firmware revision C.09.13 (Current)
Severity: Multiple reset requests may deny use of stacked switch entirely
Authors: Brook Powers (bugtraq@tech-serve.com), Tony Kapela
(tony@wi.engr.wisc.edu)
Vendor Status: Vendor Notified August 28th, 2002
CVE Candidate: Pending
Reference: www.tech-serve.com/research/advisories/2002/a092302-1.txt
Overview:
=======
The HP Procurve 4000M is a extremely common, managed switch, which provides
low-cost and scalable ethernet switching. It is ideal for medium-to-large
businesses that desire a flexible platform for 10, 100, and gigabit
interfaces. In the 4000M's base configuration, the switch ships with five
of ten 'slots' populated with cards that contain 8 fast ethernet copper ports.
Under many circumstances, several 4000M chassis will be in operation at a
single site, or otherwise interconnected. Also common, would be a situation
where several switches are interconnected via 'trunked ports' for link
aggregation, or for VLAN extension to remote wiring closets.
In these examples, the administrator can enact specific features of the
4000M which allow any (or all) of the switches to be viewed through a
single administrative interface, anywhere on the internet, via a web
browser. We refer to the switches within this administrative group as a
'stack.'
There exists at least one vulnerability in this interface that allows an
attacker to reset a switch when it is a member of a 'stack' of switches via
a HTTP URL. This allows the attacker to arbitrarily and repeatedly deny
access to all switched ports of the stack member.
Detailed Description:
===============
The firmware handling the URL "http:// Exploitation of this vulnerability and the resulting reset requests may
Neither the stacking features nor remote IP access features are enabled by
At this time we are unaware of any other cgi's that do not verify submitted
Vendor Response:
This issue was reported to Hewlett Packard by on August 28, 2002. On
On 9/20/2002 HP asked that we include the following statement;
"Hewlett-Packard Company has released Security Bulletin number
As of this post the patched firmware and security bulletin have not yet
Our Recommendation:
Disable stacking features of all switches. If stacking features must be
If IP-level access must be available, then it is highly recommended that IP
For more info, see:
(Reserved for HP advisory notice URL)
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
CAN-2002-(Pending)
Copyright 2002 Techserve, Inc. All rights reserved.
allows the "device_reset?" command to be executed on member switches
without first checking to see if the source of the command is
authenticated. The IP address is the address that the administrator has
assigned to the designated "commander" switch for the stack. The "2"
denotes the stack member number (i.e. "sw2") or the second switch in the
stack.
deny use of stacked switch entirely as the switch is repeatedly rebooted.
default. The administrator has the option of effectively disabling IP
support (see 'Recommendation' below) and may then administer the switch via
the device's rs-232 serial port.
commands against authorized users, however we believe it reasonable to
assume others may exist. It is also likely that other switches, which
utilize similar firmware, such as the 8000M, are also at risk.
==============
September 11, 2002 posting of this vulnerability was delayed at HP's request.
HPSBUX0209-219 which recommends the following solution: Upgrade the switch
firmare [sic] to revision C.09.16 or newer, and be sure that a "manager
password" is being used. HPSBUX0209-219 may be found in the "Security
Bulletin archives" on <http://itrc.hp.com>."
been posted.
=================
enabled, prevent or restrict IP level access to the device by assigning
0.0.0.0 or private IP ranges.
access lists (where available) on the switches be utilized. Additionally,
placing the Switch's IP address(s) in a subnet apart from those in use by
other systems attached to the switch is ideal. It would be best to disable
both telnet and HTTP access.
==============
===========================================
following names to these issues. These are candidates for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
Relevant Pages
... There could be a brief window of vulnerability while your system is ... get yourself a cable switch from Radio ... Connect your cable modem through that. ... firewall than the built-in junk that XP uses, ...
(comp.security.firewalls)
... some time ago Cisco had a vulnerability in the Web ... the same switch, sniff traffic to any/all of the systems, then use software ... >> machine or server. ...
(microsoft.public.security)
... >>> When yo uhit the reset bar manually, what relay is making it stop? ... >> Ok....you can tell when a switch is normally open or normally closed>> by ... >> ask....Have you done anything to the game to make it not work now>> rather ...
(rec.games.pinball)
... Playfield Solenoids/Flippers? ... Score Reels reset? ... show which ball is in play and when game is over iy does not ... if a switch is open and you actuate the relay by hand it should ...
(rec.games.pinball)
... place your leads on the switch terminals. ... be to place the black lead on the black wire on the Reset relay coil, ... Blue-White wire on Reset relay coil (loose or broken Blue-White ...
(rec.games.pinball)
