DoS on HP ProCurve 4000M switch (possibly others)

From: Jon Snyder (jonat_private)
Date: Thu Feb 28 2002 - 17:45:52 PST

Next message: Justin Piszcz: "[Fwd: BUG: [Kernel 2.4.18 - IP Tables 1.2.4] ?]"

Previous message: Alex Hernandez: "Cobalt-RAQ-4-Bugs&Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Advisory Vitals:

Name:				HP ProCurve 4000M nmap DoS
Affected Products:	HP ProCurve 4000M (J4121A), possibly others
Firmware Versions:	C.08.22 and C.09.09 both tested vulnerable
Relevant Vendor URL:	http://www.hp.com/rnd/
Vendor Contacted:		9/10/2001; 1/16/2002


Summary:

nmap portscans cause a DoS on the HP ProCurve 4000M Ethernet switch.
Depending on the version of firmware, after portscanning the management IP
address of the switch it is no longer possible to use telnet to manage the
device.  However, the switch continues to process ICMP messages and SNMP
PDUs normally, and frames switched by the device also appear unaffected.


Details:

Only the HP ProCurve 4000M was tested; a number of other products run the
same firmware image and may or may not be vulnerable.
Firmware C.07.01 does not appear to be vulnerable to this issue; numerous
successive and varied nmap scans against the switch did not affect its
ability to accept new telnet sessions.

C.08.22 and C.09.09 are vulnerable.  One nmap portscan against the switch's
management IP address renders the switch unable to accept new telnet
sessions.  Port 23 remains open, but no text is displayed once connected.
Eventually (after a number of minutes) this state changes and the switch is
again able to accept incoming telnet sessions, but a single nmap portscan or
OS detection attempt immediately renders the switch inaccessible via telnet
once again.

Existing telnet sessions to the switch appear unaffected during and after
the portscan.  Also, SNMP continues to function normally, and the switch is
ping-able even in its 'dead telnet' state.

Console access to the switch does not appear affected.  Rebooting the switch
is the only way to regain the ability to telnet to it, once it is stuck in
the described state.

Exacerbating this issue is that the source of the nmap portscan does not
have to be on the 'Authorized IP Managers' list in the switch for this DoS
to occur.


Vendor Notification:

HP initially confirmed this issue on 9/10/2001 and assigned trouble ticket
#3200180647.  After some initially positive discussions, I didn't hear from
them for some time, and called back on 1/16/2002 when I was given another
case number, #1430333405.  Haven't heard anything since.  Everyone I have
dealt with at HP has been very friendly, and in all other respects I am very
happy with the ProCurve switches I have used, but this issue remains
unresolved.


Workaround:
None known.  A number of bugs have been fixed since C.07.01 and that version
is no longer available via HP's web site, so running it may not be a viable
option.  Isolating the management address of the switch from networks that
may intentionally or unintentionally portscan the switch is the best
solution in lieu of new firmware from HP.


----------
Jon Snyder

Next message: Justin Piszcz: "[Fwd: BUG: [Kernel 2.4.18 - IP Tables 1.2.4] ?]"
Previous message: Alex Hernandez: "Cobalt-RAQ-4-Bugs&Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 11:11:21 PST