Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HP Switches? You may want to look at patching them. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
HP Switches? You may want to look at patching them.

A little over a week ago HP (Thanks for the link Ugo) put out a fix for an unspecified vulnerability on a fair number of their switches and routers.  Both their Procurve as well as the 3COM ranges.  

CVE-2013-2341  CVSS Score of 7.1 and CVE-2013-2340 CVSS Score of 10

The first one requiring authentication, the second one none and both are remotely exploitable.  The lack of detail in my view is a little bit disappointing. It would be nice to have a few more details, especially since some swithces may not be upgradable.  As the issue is across the HP and 3com range of products I guess we could assume that it has something to do with common code on both devices, which would tend to indicate maybe they are fixing openssl issues from back in february.  But that is just speculation.  If you do know more, I'd be interested in hearing from you.  In the mean time if you have HP or 3COM kit check here (https://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c03808969-2%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken) and start planning your patches.

I'd start with internet facing equipment first and then start working on the internal network.  Whilst upgrading the software you may want to take the opportunity to take a peek at your authentication and SNMP settings making sure you have changed those from the usual defaults (remember 3COM devices have multiple default accounts) and public or the company name are not good SNMP community strings.

Mark H - Shearwater

 

Mark

391 Posts
ISC Handler
My ProCurve 2520G seems to be one of the few not in the affected list. It doesn't seem to use SSL for anything; just SSH/telnet/HTTP/SNMP.

More detail would have been nice, to know if clients can exploit these vulnerabilities if they're outside of a dedicated management VLAN, for example.
Steven C.

171 Posts
My 1910s were patched in the February firmware. Not that they mention anything in the release notes :-(
Anonymous
It looks like the advisory has been updated twice since:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03808969

They now provide insights on the vulnerabilities and mitigation actions.
Ugob

4 Posts

Sign Up for Free or Log In to start participating in the conversation!