Advisory Vitals: Name: HP ProCurve 4000M nmap DoS Affected Products: HP ProCurve 4000M (J4121A), possibly others Firmware Versions: C.08.22 and C.09.09 both tested vulnerable Relevant Vendor URL: http://www.hp.com/rnd/ Vendor Contacted: 9/10/2001; 1/16/2002 Summary: nmap portscans cause a DoS on the HP ProCurve 4000M Ethernet switch. Depending on the version of firmware, after portscanning the management IP address of the switch it is no longer possible to use telnet to manage the device. However, the switch continues to process ICMP messages and SNMP PDUs normally, and frames switched by the device also appear unaffected. Details: Only the HP ProCurve 4000M was tested; a number of other products run the same firmware image and may or may not be vulnerable. Firmware C.07.01 does not appear to be vulnerable to this issue; numerous successive and varied nmap scans against the switch did not affect its ability to accept new telnet sessions. C.08.22 and C.09.09 are vulnerable. One nmap portscan against the switch's management IP address renders the switch unable to accept new telnet sessions. Port 23 remains open, but no text is displayed once connected. Eventually (after a number of minutes) this state changes and the switch is again able to accept incoming telnet sessions, but a single nmap portscan or OS detection attempt immediately renders the switch inaccessible via telnet once again. Existing telnet sessions to the switch appear unaffected during and after the portscan. Also, SNMP continues to function normally, and the switch is ping-able even in its 'dead telnet' state. Console access to the switch does not appear affected. Rebooting the switch is the only way to regain the ability to telnet to it, once it is stuck in the described state. Exacerbating this issue is that the source of the nmap portscan does not have to be on the 'Authorized IP Managers' list in the switch for this DoS to occur. Vendor Notification: HP initially confirmed this issue on 9/10/2001 and assigned trouble ticket #3200180647. After some initially positive discussions, I didn't hear from them for some time, and called back on 1/16/2002 when I was given another case number, #1430333405. Haven't heard anything since. Everyone I have dealt with at HP has been very friendly, and in all other respects I am very happy with the ProCurve switches I have used, but this issue remains unresolved. Workaround: None known. A number of bugs have been fixed since C.07.01 and that version is no longer available via HP's web site, so running it may not be a viable option. Isolating the management address of the switch from networks that may intentionally or unintentionally portscan the switch is the best solution in lieu of new firmware from HP. ---------- Jon Snyder
