SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   HPE ProCurve Switch Vendors:   HPE
HP Procurve 4000M Switch Can Be Reset By Remote Users Due to No Authentication on 'device_reset' Command
SecurityTracker Alert ID:  1005277
SecurityTracker URL:  http://securitytracker.com/id/1005277
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 24 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Firmware revision C.09.13; Procurve 4000M Switch
Description:   A denial of service vulnerability was reported in HP's Procurve switch. A remote user can cause the device to reset.

Techserve issued an advisory warning that a remote user can request the following URL to execute the device_reset command (the "2" represents the switch nummber in the stack of switches):

http://<IP ADDRESS>/sw2/cgi/device_reset?

According to the report, the command is not authenticated by the switch.

A remote user can apparently issue the command repeatedly to cause denial of service conditions.

The report notes that remote IP access features are not enabled by default. Also, the report suggests that other CGI commands may suffer from the same lack of authentication, but no specific commands are identified. Other HP switch products that implement the same firmware may reportedly be affected by the same flaw.

Impact:   A remote user can reset a switch. By doing this repeatedly, the remote user can deny service to other users.
Solution:   HP has issued a security bulletin (HPSBUX0209-219) that announces an upgraded version (C.09.16).

The bulletin is available to registered users in the "Security Bulletin archives" on <http://itrc.hp.com>.

[Editor's note: A follow-up alert will be issued shortly containing the HP security bulletin recommendations.]

The author of the report has provided the following recommendations:

"Disable stacking features of all switches. If stacking features must be enabled, prevent or restrict IP level access to the device by assigning 0.0.0.0 or private IP ranges.

If IP-level access must be available, then it is highly recommended that IP access lists (where available) on the switches be utilized. Additionally, placing the Switch's IP address(s) in a subnet apart from those in use by other systems attached to the switch is ideal. It would be best to disable both telnet and HTTP access."

Vendor URL:  www.hp.com/rnd/index.htm (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(HP Issues Fix) Re: HP Procurve Switch Can Be Reset By Remote Users Due to No Authentication on 'device_reset' Command
HP has issued a fix.



 Source Message Contents

Subject:  HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability


                            Techserve, Inc.
                        www.tech-serve.com

                          Security Advisory


Advisory Name: HP Procurve 4000M Stacked Switch HTTP Reset Vulnerability
Release Date: 09/23/2002
Platform: HP Procurve 4000M Switch (J4121A)
Application: Firmware revision C.09.13 (Current)
Severity: Multiple reset requests may deny use of stacked switch entirely
Authors: Brook Powers (bugtraq@tech-serve.com), Tony Kapela 
(tony@wi.engr.wisc.edu)
Vendor Status: Vendor Notified August 28th, 2002
CVE Candidate: Pending
Reference: www.tech-serve.com/research/advisories/2002/a092302-1.txt


Overview:
=======

The HP Procurve 4000M is a extremely common, managed switch, which provides 
low-cost and scalable ethernet switching. It is ideal for medium-to-large 
businesses that desire a flexible platform for 10, 100, and gigabit 
interfaces. In the 4000M's base configuration, the switch ships with five 
of ten 'slots' populated with cards that contain 8 fast ethernet copper ports.

Under many circumstances, several 4000M chassis will be in operation at a 
single site, or otherwise interconnected. Also common, would be a situation 
where several switches are interconnected via 'trunked ports' for link 
aggregation, or for VLAN extension to remote wiring closets.

In these examples, the administrator can enact specific features of the 
4000M which allow any (or all) of the switches to be viewed through a 
single administrative interface, anywhere on the internet, via a web 
browser. We refer to the switches within this administrative group as a 
'stack.'

There exists at least one vulnerability in this interface that allows an 
attacker to reset a switch when it is a member of a 'stack' of switches via 
a HTTP URL. This allows the attacker to arbitrarily and repeatedly deny 
access to all switched ports of the stack member.


Detailed Description:
===============

The firmware handling the URL "http://<IP ADDRESS>/sw2/cgi/device_reset?" 
allows the "device_reset?" command to be executed on member switches 
without first checking to see if the source of the command is 
authenticated. The IP address is the address that the administrator has 
assigned to the designated "commander" switch for the stack. The "2" 
denotes the stack member number (i.e. "sw2") or the second switch in the 
stack.

Exploitation of this vulnerability and the resulting reset requests may 
deny use of stacked switch entirely as the switch is repeatedly rebooted.

Neither the stacking features nor remote IP access features are enabled by 
default. The administrator has the option of effectively disabling IP 
support (see 'Recommendation' below) and may then administer the switch via 
the device's rs-232 serial port.

At this time we are unaware of any other cgi's that do not verify submitted 
commands against authorized users, however we believe it reasonable to 
assume others may exist. It is also likely that other switches, which 
utilize similar firmware, such as the 8000M, are also at risk.


Vendor Response:
==============

This issue was reported to Hewlett Packard by on August 28, 2002. On 
September 11, 2002 posting of this vulnerability was delayed at HP's request.

On 9/20/2002 HP asked that we include the following statement;

"Hewlett-Packard Company has released Security Bulletin number 
HPSBUX0209-219 which recommends the following solution: Upgrade the switch 
firmare [sic] to revision C.09.16 or newer, and be sure that a "manager 
password" is being used. HPSBUX0209-219 may be found in the "Security 
Bulletin archives" on <http://itrc.hp.com>."

As of this post the patched firmware and security bulletin have not yet 
been posted.


Our Recommendation:
=================

Disable stacking features of all switches. If stacking features must be 
enabled, prevent or restrict IP level access to the device by assigning 
0.0.0.0 or private IP ranges.

If IP-level access must be available, then it is highly recommended that IP 
access lists (where available) on the switches be utilized. Additionally, 
placing the Switch's IP address(s) in a subnet apart from those in use by 
other systems attached to the switch is ideal. It would be best to disable 
both telnet and HTTP access.


For more info, see:
==============

(Reserved for HP advisory notice URL)


Common Vulnerabilities and Exposures (CVE) Information:
===========================================

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
following names to these issues. These are candidates for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security 
problems.

CAN-2002-(Pending)


Copyright 2002 Techserve, Inc. All rights reserved. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC