09 August 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1091 HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers and Switches, OSPF Remote Information Disclosure and Denial of Service 9 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HP Networking Products Publisher: Hewlett-Packard Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4806 Original Bulletin: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03880910 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03880910 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03880910 Version: 1 HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers and Switches, OSPF Remote Information Disclosure and Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-08-08 Last Updated: 2013-08-08 Potential Security Impact: Remote information disclosure and denial of service Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Networking Products including 3COM and H3C routers and switches. The vulnerabilities could be remotely exploited resulting in disclosure of information and denial of service. References: CVE-2013-4806 (CERT VU#229804 SSRT101224) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION section below for a list of impacted products. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4806 (AV:N/AC:M/Au:S/C:P/I:N/A:C) 7 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software updates available to resolve the vulnerabilities in the following products: Fixed Version HP Branded Products Impacted H3C Branded Products Impacted 3Com Branded Products Impacted R5000_3.14p14 JD935A HP 5012 Router JD943A HP 5232 Router JD944A HP 5642 Router JD945A HP Router 5642 TAA JD946A HP 5682 Router N/A 3Com Router 5642 TAA (3C13755TAA) 3Com Router 5012 (3C13701) 3Com Router 5232 (3C13751) 3Com Router 5642 (3C13755) 3Com Router 5682 (3C13759) R301X_1.40.23 JD916A HP 3012 Router JD919A HP 3018 Router N/A 3Com Router 3012 (3C13612) 3Com Router 3018 (3C13618) S5600_3.10.R1702P39 JD391A HP S5600-50C Ethernet Switch JD392A HP S5600-50C-PWR Ethernet Switch JD393A HP S5600-26C Ethernet Switch JD394A HP S5600-26C-PWR Ethernet Switch JD395A HP S5600-26F Ethernet Switch H3C S5600-26C Ethernet Switch (0235A11F) H3C S5600-26C-PWR Ethernet Switch (0235A11G) H3C S5600-26F Ethernet Switch (0235A11H) H3C S5600-50C Ethernet Switch (0235A11D) H3C S5600-50C-PWR Ethernet Switch (0235A11E) N/A E5500G_03.03.02p19 JE088A HP E5500-24G Switch JE089A HP E5500-24G Switch (TAA) JE090A HP E5500-48G Switch JE091A HP E5500-48G Switch (TAA) JE092A HP E5500-24G-PoE Switch JE093A HP E5500-24G-PoE Switch (TAA) JE094A HP E5500-48G-PoE Switch JE095A HP E5500-48G-PoE Switch (TAA) JE096A HP E5500-24G-SFP Switch JE097A HP E5500-24G-SPF Switch (TAA) JF551A HP SS4 SWITCH 5500G-EI 24PT (no psu) JF552A HP SS4 SWITCH 5500G-EI 48PT(no psu) JF553A HP SS4 5500G-EI 24 PORT SFP (no psu) N/A 3Com SS4 5500G-EI 24 Port SFP (NO PSU) (3CR17259-91) 3Com SS4 Switch 5500G-EI 24PT (NO PSU) (3CR17254-91) 3Com SS4 Switch 5500G-EI 48PT (NO PSU) (3CR17255-91) 3Com Switch 5500G-EI 24 Port (3CR17250-91) 3Com Switch 5500G-EI 48-Port (3CR17251-91) 3Com Switch 5500G-EI PWR 24-Port (3CR17252-91) 3Com Switch 5500G-EI PWR 48-Port (3CR17253-91) 3Com Switch 5500G-EI SFP 24-Port (3CR17258-91) 3Com TAA Compliant 5500G-EI 24-Port (3CR17250TAA-91) 3Com TAA Compliant 5500G-EI 48-Port (3CR17251TAA-91) 3Com TAA Compliant 5500G-EI PWR 24P (3CR17252TAA-91) 3Com TAA Compliant 5500G-EI PWR 48P (3CR17253TAA-91) 3Com TAA Compliant 5500G-EI SFP 24P (3CR17258TAA-91) E5500_03.03.02p19 JE099A HP E5500-24 SI Switch JE100A HP E5500-48 SI Switch JE101A HP E5500-24 Switch JE102A HP E5500-24 Switch (TAA) JE103A HP E5500-48 Switch JE104A HP E5500-48 Switch (TAA) JE105A HP E5500-24-PoE Switch JE106A HP E5500-24-PoE Switch (TAA) JE107A HP E5500-48-PoE Switch JE108A HP E5500-48-PoE Switch (TAA) JE109A HP E5500-24-SFP Switch, JE110A HP E5500-24-SPF Switch (TAA) N/A 3Com SS4 Switch 5500-SI 28 Port (3CR17151-91) 3Com SS4 Switch 5500-SI 52 Port (3CR17152-91) 3Com Switch 5500-EI 28-Port (3CR17161-91) 3Com Switch 5500-EI 28-Port FX (3CR17181-91) 3Com Switch 5500-EI 52-Port (3CR17162-91) 3Com Switch 5500-EI PWR 28-Port (3CR17171-91) 3Com Switch 5500-EI PWR 52-Port (3CR17172-91) 3Com TAA Switch 5500-EI 28-Port (3CR17161TAA-91) 3Com TAA Switch 5500-EI 28-Port FX (3CR17181TAA-91) 3Com TAA Switch 5500-EI 52-Port (3CR17162TAA-91) 3Com TAA Switch 5500-EI PWR 28-Port (3CR17171TAA-91) 3Com TAA Switch 5500-EI PWR 52-Port (3CR17172TAA-91) S3600.EI_3.10.R1702P34 JD326A HP 3600-24-PoE EI Switch JD328A HP 3600-48-PoE EI Switch JD331A HP 3600-24 EI Switch JD333A HP 3600-48 EI Switch JD334A HP 3600-24-SFP EI Switch H3C S3600-28F-EI - model LS-3600-28F-EI-OVS (0235A10L) H3C S3600-28P-EI - model LS-3600-28P-EI-OVS (0235A10H) H3C S3600-28P-PWR-EI - model LS-3600-28P-PWR-EI-OVS (0235A10C) H3C S3600-52P-EI - model LS-3600-52P-EI-OVS (0235A10K) H3C S3600-52P-PWR-EI - model LS-3600-52P-PWR-EI-OVS (0235A10E) N/A E.11.38 J4850A HP ProCurve Switch 5304xl J8166A HP ProCurve Switch 5304xl-32G J4819A HP ProCurve Switch 5308xl J8167A HP ProCurve Switch 5308xl-48G J4849A HP ProCurve Switch 5348xl J4849B HP ProCurve Switch 5348xl J4848A HP ProCurve Switch 5372xl J4848B HP ProCurve Switch 5372xl N/A N/A M.10.99 J4906A HP E3400-48G cl Switch J4905A HP ProCurve Switch 3400cl-24G N/A N/A M.08.140 J8433A HP 6400-6XG CL Switch J8474A HP 6410-6XG CL Switch N/A N/A HISTORY Version:1 (rev.1) - 8 August 2013 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to firstname.lastname@example.org. Report: To report a potential security vulnerability with any HP supported product, send Email to: email@example.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlIDpdwACgkQ4B86/C0qfVldlwCcDDroDhqjX0UVp4i8jVvizBGx XcQAnjFZJnhpwE7xpI1wxQZ1tdrFvaGL =Q4Dh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUgRBEhLndAQH1ShLAQKn5w//eMiJLBns76Q4gWGHB3iJRPcuMMC8oAEW Uv1kYmcLgwGeWWXk8jR8AySyvwsAV8fqYg8vsfU8r7O5+cEsMUMaJR2JLHaAHx7F TRd8+56fzr2Be372qXmbn+g5rrMlKSWTJyfzkQO9yPtiU0Q+FLdwXjjWm3ehzsOE EEyEgVRaseisqNWWb8YPGcNRY7Sek+78Njx+9rDZTnpMLDjkrC720ymq1yP3+wiy vNGV1ik+zyDoKJFBNqAOoPmnrIAPw5VgmRFoAmkP9xobVoMoFX9mqGNoJ0tsCt7+ ttXM/MrYaJrex9JgdYZtcVgphyOYe3E1o2ygWlFFF/qU0GlZ5h77O6LoWUaxuuPm It1hwib0prKsSbm90Cx+E5ZFro00eu+9wFcFwOJm0LIr8/lugPYBLlkmZX4D+KEx 20vrASVPbVTKqU5oBVMP/xy5jjxYRCuIs1TXAkTBPFFH9pZYBpI1qsp1N4/PJuk8 CAnBkAtzo6xNoGqzVZXOtLDMb/TklydeAu6maLBwWXWFwIZVZJZWPU01MwfDjJA/ C8cQ4lYrrfzz/Bjp1zRYmWujrqNOB0bGLfyHs0b1KlsROLIL4b7fimpsnaE7K37r ZqaUDcewi5OU+CTcAzaf4jmgUjJfayeRiU9SOKc4b6hmWIFliAn88+FX7K/IxtEn UHfKmqAHWyM= =Ifaf -----END PGP SIGNATURE-----