Signature Detail

HTTP: Hewlett Packard Procurve Remote Reset

This signature detects attempts to exploit a known vulnerability against the HP Procurve 4000M switch. Configuration changes for the switch are made through an HTTP-based interface; however, the script that resets the switch after a configuration change does not properly authenticate the IP address that calls the script. Attackers can call the script repeatedly to perform a denial of service.

Extended Description

When multiple Procurve switches are used interconnected, it is common for an administrator to enable a feature allowing each switch to be viewed through a single interface, accessible via the web. It has been reported that HP Procurve Switches are vulnerable to a denial of service attack, when used in a "stack" configuration. It is possible for an attacker to reset member switches by issuing a device reset command to a vulnerable device. Vulnerable devices do not require authentication before accepting this command. It should be noted that the web interface is not enabled by default.

Affected Products

• HP Procurve Switch 1600M
• HP Procurve Switch 2400M
• HP Procurve Switch 2400M
• HP Procurve Switch 2424M
• HP Procurve Switch 4000M
• HP Procurve Switch 8000M

References

• BugTraq: 5784
• CVE: CVE-2002-1147