SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   HPE ProCurve Switch Vendors:   HPE
HP Procurve Switch Bug Allows Telnet Management Port to Be Temporarily Blocked for New Management Connections
SecurityTracker Alert ID:  1003714
SecurityTracker URL:  http://securitytracker.com/id/1003714
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 1 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): C.08.22, C.09.09
Description:   A denial of service vulnerability was reported in HP's Procurve 4000M Ethernet switch. A remote user can cause the telnet management port to temporarily stop accepting new management connections.

It is reported that a port scan (using nmap) performed against the management IP address of the HP Procurve switch will cause the telnet management port to stop accepting new connections for a temporary period of time. After the port scan, port 23 reportedly remains open, but no text will be displayed when you connect to it. After a few minutes, the switch will apparently be able to accept new incoming telnet management sessions.

It is reported that this does not affect the switch in any other way. Existing telnet management connections, SNMP management 'sessions', console access, and traffic processing are reportedly not disrupted.

If the switch is rebooted, the telnet sevice will return to normal operations.

Any source IP address can apparently be used for the nmap portscan.

It is reported that firmware version C.07.01 does not appear to be vulnerable.

The vendor has reportedly been notified.

Impact:   A remote user can cause the telnet management port on the switch to temporarily stop accepting new management connections for a period of a few minutes.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.hp.com/rnd/index.htm (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  DoS on HP ProCurve 4000M switch (possibly others)


Advisory Vitals:

Name:				HP ProCurve 4000M nmap DoS
Affected Products:	HP ProCurve 4000M (J4121A), possibly others
Firmware Versions:	C.08.22 and C.09.09 both tested vulnerable
Relevant Vendor URL:	http://www.hp.com/rnd/
Vendor Contacted:		9/10/2001; 1/16/2002


Summary:

nmap portscans cause a DoS on the HP ProCurve 4000M Ethernet switch.
Depending on the version of firmware, after portscanning the management IP
address of the switch it is no longer possible to use telnet to manage the
device.  However, the switch continues to process ICMP messages and SNMP
PDUs normally, and frames switched by the device also appear unaffected.


Details:

Only the HP ProCurve 4000M was tested; a number of other products run the
same firmware image and may or may not be vulnerable.
Firmware C.07.01 does not appear to be vulnerable to this issue; numerous
successive and varied nmap scans against the switch did not affect its
ability to accept new telnet sessions.

C.08.22 and C.09.09 are vulnerable.  One nmap portscan against the switch's
management IP address renders the switch unable to accept new telnet
sessions.  Port 23 remains open, but no text is displayed once connected.
Eventually (after a number of minutes) this state changes and the switch is
again able to accept incoming telnet sessions, but a single nmap portscan or
OS detection attempt immediately renders the switch inaccessible via telnet
once again.

Existing telnet sessions to the switch appear unaffected during and after
the portscan.  Also, SNMP continues to function normally, and the switch is
ping-able even in its 'dead telnet' state.

Console access to the switch does not appear affected.  Rebooting the switch
is the only way to regain the ability to telnet to it, once it is stuck in
the described state.

Exacerbating this issue is that the source of the nmap portscan does not
have to be on the 'Authorized IP Managers' list in the switch for this DoS
to occur.


Vendor Notification:

HP initially confirmed this issue on 9/10/2001 and assigned trouble ticket
#3200180647.  After some initially positive discussions, I didn't hear from
them for some time, and called back on 1/16/2002 when I was given another
case number, #1430333405.  Haven't heard anything since.  Everyone I have
dealt with at HP has been very friendly, and in all other respects I am very
happy with the ProCurve switches I have used, but this issue remains
unresolved.


Workaround:
None known.  A number of bugs have been fixed since C.07.01 and that version
is no longer available via HP's web site, so running it may not be a viable
option.  Isolating the management address of the switch from networks that
may intentionally or unintentionally portscan the switch is the best
solution in lieu of new firmware from HP.


----------
Jon Snyder

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC