From: ts at securityoffice.net (Tamer Sahin)
Subject: HP Full Disclosure Story

Hello Folks, 
?
In January, have found a security hole in HP AdvanceStack switches. This 
vulnerability affected 8 different swicth models. There had been an 
interesting mail traffic between HP Security Response Team and me. I compiled 
it from my mail archive lastly and I thought that it would take your 
attention. 
?
Best Regards; 
?
Tamer Sahin 
http://www.securityoffice.net
-------------- next part --------------
********************************************************************************************
I a sending my first security anouncement to security-alert@...com and i am specifying
that in at least 4 days, if there is no response, i will publish this vulnerebility without
any patch. (this time is like a law that is not ruled. in "vulnerability disclosure" procedure)
********************************************************************************************

=======================SNIP==========================
From: ts@...urityoffice.net
To: security-alert@...com

Hewlett Packard AdvanceStack Switch Managment Authentication Bypass Vulnerability

Type:
Access Validation Error

Release Date:
January 29, 2002

Product / Vendor:
HP AdvanceStack 10Base-T Switching Hubs combine economical 10Base-T
functionality with the performance of switching. Each switching hub
starts out as a simple, single-segment, shared 10Base-T hub.

http://www.hp.com

Summary:
A problem with the HP switch allows some users to change
configuration of the switch. A bug introduced in the HP AdvanceStack
J3210A that could allow users full access on the switch. Upon taking
advantage of this vulnerability, the user could change the
configuration of the switch and could change admin password.

Therefore, it is possible for a superuser password changing with
unprivileged access on the switch to gain elevated privileges, and
potentially change configuration of the switch.

An attacker can get unauthorized access to the switch read/write
password change page this page http://host/security/web_access.html
and change superuser password. Connect superuser privileged via Web
or Telnet.

Tested:
HP J3210A AdvanceStack

Vulnerable:
HP J3210A AdvanceStack

Policy:
This vulnerability is explained to the HP <security-alert@...com>
mail adress via email at January 29, 2002. It won't be published to
the public eye before I receive a mail about correcting this
vulnerability. But if I don't get a reply within 4 days, this
security notification will be announced without any information to
HP.

Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:
Tamer Sahin
ts@...urityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

=======================SNIP==========================

**********************************************
Their response: they wanted time over 4 days
**********************************************

=======================SNIP==========================
From: security-alert@...com
To: ts@...urityoffice.net

Hello Tamer,

Thanks for the notification.  We are investigating the issue now.
Hopefully this message is the response you were looking for by
the four day deadline.

If you need to e-mail more details please use the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@...com.


Yours truly,
John
***********************************************************
* John Morris  HP Security Team - X11 and Graphics        *
* Atlanta (404) 648-2185      e-mail: john_morris@...com *
***********************************************************
=======================SNIP==========================

*********************************************************************
And a week passes and there is no response from HP SECURITY RESPONSE TEAM.
I send a mail and i say them that the time passes over and
if they do not publish a patch i will publish the hole in the security
mailing lists. Upon this, the opposite site understands this mail as a
threat with no meaning.And responds me with nonsense style. with words such;
we are 50 billion dollared company...etc... (I could not find the mail that
i have written about "4 day time" in my mail archieve,so i could not paste it here)
**********************************************************************

=======================SNIP==========================
From: security-alert@...com
To: ts@...urityoffice.net

IMPORTANT - PLEASE READ:
This e-mail message and any files transmitted with
it are intended solely for the addressee and are
confidential. Copyright in them is reserved by
dan_grove@...com, and you may not copy, publish
or use them in any way without pgp signed permission
from dan_grove@...com.

Hi Tamer,

I'm sorry to see the threatening tone in your message.

We did reply, and you are making the assumption that your
issue is the only one we have to work on, and that it is
the most important.

Regardless, we do not respond to threats of publishing
exploits, and we do not give out advance patch code unless
we need it to be beta tested, which is rare. We work on the
issues based on their severity in relation to the other issues,
and in most cases publish an HP Security Bulletin when the
tested solution is ready for customers to use.

Let me be very candid here, you are not the first to assume
that a $50 billion corporation will drop all the other security
issues we are working on in order to work on yours because
you threaten to publish. It has never changed the course of
our work internally; we will continue to work on the issue
until it is tested and finished.

If you decide not to publish, we would appreciate it. If you do
publish then, worst case, all that will be accomplished is
that you may cause a business somewhere to be compromised,
and they may turn to you or your company for compensation for
their financial losses. In the best case, due to September 11, 2001,
you may end up on various government agencies' "watch lists,"
and your potential career in the computer business may be
altered in ways you did not intend.

The choice is yours. We are doing our job ethically in solving the
issue. Are you doing yours to protect businesses worldwide?

_______________Dan Grove______________
___HP S/W Security Team Coordinator___
__Worldwide Technology Expert Center__
_______Hewlett-Packard Company________
___________dan_grove@...com___________
______In Cyberspace, be afraid,_______
__________ be very afraid!"___________
______________________________________
__Reach us at:
 <mailto:security-alert@...com>
=======================SNIP==========================

***************************************************
Later, here is my answer to the Security Chief who
found my mail so threatening..
***************************************************

=======================SNIP==========================
From:  ts@...urityoffice.net
To: security-alert@...com

Hi Dan,

First of all I couldn't understand your threatening attitude. The
reason for my earlier mail was taking information about a subject.
And you are in a completely threatening manner. I would have
published this anouncement without waiting for your patch to be
released, if I wished... But if you are hiding behind your big
corporation and threatening me, this is really ridiculous and thought
provoking...

I won't publish this anouncement and waiting reply for your solution
or a patch.

We have published several anouncements before for companies like
Microsoft and AOL. But as big as your company's, HP, reply to this
case taught me how HP approaches deformed...

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
=======================SNIP==========================

****************************************************
Later, the man gets more aggressive and  tries to frighten
me meaning that i could be in the blacklist of USA after 11
September just because to keep me away from publishing the
security anouncement about HP.
****************************************************

=======================SNIP==========================
From: security-alert@...com
To: ts@...urityoffice.net

Hi Tamer,

I'm sorry you perceived my previous message as threatening.
That is not the case - we are not threatening, but simply
setting expectations that we don't respond to threats of
publishing, and because the climate for security in general
has changed in the USA after September 11, 2001, we are
setting expectations for the possible results for you if
you do publish. When we deal with responsible security teams,
they do not send dated draft copies of what they are going to
publish, which would seem to indicate that they intend to
publish on that date.

I am glad you are not publishing, but to further set expectations,
we do not discuss anything with the submitter (dates for
patches, timelines, our solution, etc...) except if we have
further technical questions to help us understand the problem.

We appreciate you raising the issue, and will be happy to work
with you if needed on this issue, but we will not respond to
publishing threats that put our customer base at risk.

I am currently out of my office until February 11th, and can
only get on line randomly as I'm traveling in the western USA.
So please send all communication to securtiy-alert@...com
so that the team in the office sees the emails and can respond.

_______________Dan Grove______________
___Member Board of Directors FIRST____
___Member Steering Committee FIRST____
____Chief Financial Officer FIRST_____
_______ http://www.first.org _________
___HP S/W Security Team Coordinator___
__Worldwide Technology Expert Center__
_______Hewlett-Packard Company________
___________dan_grove@...com___________
______650-691-8611 (telecommuter)_____
______In Cyberspace, be afraid,_______
__________ be very afraid!"___________
______________________________________
__Reach us at security-alert@...com___
=======================SNIP==========================

*****************************************************
Just after this mail i published the security alert on
my site and other secuity sites. and instantaneously,
after 2 days, they puslished the security anouncement.
That is to say, they can be so fast if they want!!
*****************************************************

=======================SNIP==========================
From: security-alert@...com
To: ts@...urityoffice.net

HPSBUX0202-185: Sec. Vulnerability with HP AdvanceStack hubs
Published: Feb 12, 2002
Updated: Feb 12, 2002

Document ID:  HPSBUX0202-185
Date Loaded:  20020212
Title:  Sec. Vulnerability with HP AdvanceStack hubs

-----------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #0185,
Originally issued: 12 Feb. 2002
-----------------------------------------------------------------

The information in the following Security Advisory should be acted
upon as soon as possible.  Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Advisory as
soon as possible.

------------------------------------------------------------------
PROBLEM:  Security vulnerability when managing HP Switching
Hubs with a web browser.

PLATFORM: HP AdvanceStack J3200A, J3201A, J3202A, J3203A, J3204A,
J3205A, J3210A with firmware version A.03.02.

DAMAGE:   Gain elevated privileges

SOLUTION: Until a fix is available, work around the problem as
documented below.

MANUAL ACTIONS: Disable web access or remove the management IP
address.

AVAILABILITY:  This advisory will be updated when a fix is
available.

 ------------------------------------------------------------------
A. Background
The following are vulnerable:

J3210A -- HP AdvanceStack 10BT Management Pack Module for use
with HP AdvanceStack Switching Hubs
J3200A -- HP Advancestack 10Base-T S Hub-12R*
J3201A -- HP AdvanceStack 10BT-S Hub-12R w/Mgmt
J3202A -- HP AdvanceStack 10Base-T S Hub-24R*
J3203A -- HP AdvanceStack 10BT-S Hub-24R w/Mgmt
J3204A -- HP AdvanceStack 10Base-T S Hub-24T*
J3205A -- HP AdvanceStack 10BT-S Hub-24T w/Mgmt
* This product is not affected unless J3210A is installed within.

The vulnerable firmware version is A.03.02.

B. Fixing the problem
There are two ways to work around the problem:

1. Disable web access using telnet or RS-232 interface
a. Telnet or console into switch
b. Type "me" for menu
c. Hit "2" for Management Access Configuration
d. Hit "6" for Web enable/disable (verify it is disabled)

2. Remove the management IP address
a. Telnet or console into switch
b. Type "me" for menu
c. Hit "2" for Management Access Configuration
d. Hit "1" for IP Configuration
e. Hit "Y" to Change the IP configuration
f. Choose "D" to disable segment
g. Choose "D" to Disable (and verify it is disabled)
(Repeat F & G for each IP assigned-segment as necessary.)

NOTE! Disabling IP while connected via telnet will disconnect
your session.

C. Recommended solution
Until a fix is available work around the problem by either
disabling web access or removing the management IP address.


D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password.  Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC.  Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive".  (near the
bottom of the page)  Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic.  Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.

For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA"

The security patch matrix is also available via anonymous ftp:

ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".


To report new security vulnerabilities, send email to

security-alert@...com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@...com.
Permission is granted for copying and circulating this
Advisory to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Advisory is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
__________________________________________________
-----End of Document ID: HPSBUX0202-185-----
=======================SNIP==========================

Powered by blists - more mailing lists