HP curiosity and vulnerability

2009-11-12T00:00:00
ID SECURITYVULNS:DOC:22787
Type securityvulns
Reporter Securityvulns
Modified 2009-11-12T00:00:00

Description

Before the vulnerability..

HP buys 3Com in mega $2.7 billion deal http://www.scmagazineus.com/HP-buys-3Com-in-mega-27-billion-deal/article/157601/

HP plans to buy 3Com ($2.7b), which owns TippingPoint, which runs ZDI, which has a 1128-day vuln in HP products: http://bit.ly/2HEonE http://twitter.com/hdmoore/statuses/5629710613

http://www.zerodayinitiative.com/advisories/upcoming/ ZDI-CAN-582 Hewlett-Packard Low 2009-10-21, 21 days ago ZDI-CAN-581 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-575 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-574 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-573 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-566 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-564 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-563 Hewlett-Packard High 2009-10-21, 21 days ago ZDI-CAN-518 Hewlett-Packard High 2009-07-16, 118 days ago ZDI-CAN-523 Hewlett-Packard High 2009-07-14, 120 days ago ZDI-CAN-522 Hewlett-Packard High 2009-07-14, 120 days ago ZDI-CAN-503 Hewlett-Packard High 2009-06-25, 139 days ago ZDI-CAN-474 Hewlett-Packard High 2009-04-15, 210 days ago ZDI-CAN-453 Hewlett-Packard Medium 2009-03-13, 243 days ago ZDI-CAN-420 Hewlett-Packard High 2009-01-26, 289 days ago ZDI-CAN-419 Hewlett-Packard High 2009-01-26, 289 days ago ZDI-CAN-418 Hewlett-Packard High 2009-01-26, 289 days ago ZDI-CAN-417 Hewlett-Packard High 2009-01-26, 289 days ago ZDI-CAN-206 Hewlett-Packard High 2007-07-17, 848 days ago ZDI-CAN-177 Hewlett-Packard High 2007-03-19, 968 days ago ZDI-CAN-105 Hewlett-Packard High 2006-10-10, 1128 days ago

Any bets on whether these vulnerabilities see the light of day?

=-=

   Title:  HP ProCurve Web Management Interface Multiple XSS

Release Date: 2009-11-11 Application: HP ProCurve Switch Management Interface

Description:

HP ProCurve Networking Switches use a web based Management Interface to control and configure the devices. Under the 'Security' -> 'SSL' portion of the application, an attacker can inject HTML or JavaScript into the 'Organization Name' and 'Organization Unit' fields. The information supplied by the attacker is stored by the switch and rendered in the browser of subsequent visitors. Additionally, an attacker can inject script into various fields related to the SSL certificate. Not only does this create a cross-site scripting scenario, an administrator cannot change the fields back using the 'Use Installed Cert' interface, rather she must create a new certificate to remove the old entry.

Product Details:

Vendor: Hewlett-Packard Development Company, L.P. Product: ProCurve Networking Switches Version: 5308xl ver E.08.42, ROM E.05.04 2524 ver F.05.50, ROM F.02.01 2824 ver I.07.31, ROM I.07.01

Solution:

Don't use HP products.

Disclosure Timeline:

2006-11-10: Vulnerability Discovered 2006-11-29: Disclosed to Vendor via e-mail to security-alert@hp.com HP SSRT replied, SSRT061284 assigned to this issue 2006-11-30: M.M. validated issue 2007-03-28: Mail sent to M.M. and security-alert@hp.com asking for status 2008-02-15: Mail sent to M.M. asking for status 2008-02-15: M.M. replies, will confirm and reply following week 2009-11-11: No replies, no indication this is important. (1096 days)

References:

Vendor: http://www.procurve.com/ XSS Information: http://en.wikipedia.org/wiki/Cross_site_scripting

=-=

BugsNotHugs Shared Vulnerability Disclosure Account