Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: HP Secure Web Console
From: MGross () DELTA ORG (Mark Gross DSO)
Date: Wed, 1 Dec 1999 11:38:24 -0800


-----Original Message-----
From: Jon Mitchell [mailto:jrm () FREEDOM SWC COM]
Sent: Wednesday, December 01, 1999 7:06 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: HP Secure Web Console


The Secure Web Console is a device that looks (and acts) like
a JetDirect
printserver.  It has one ethernet port and one serial port.  The idea
behind it is that you can connect your console cable from your HP9000
machine to this device and put it on the network.  This way you can
connect to your HP9000's via a web browser so remote access
to the console
is easy.  Since this is actual console access you could potentially do
upgrades or reboots into single user mode safely from this
device without
being onsite.

The problem with this device is the word Secure in the name.
This implies that this device is providing secure access from the network.
The
information on this devices web site http://www.hp.com/go/webconsole
states that it currently uses MD5 user digest as the
encryption scheme and

There is an even more gaping security hole in HP's SWC product.
It is possible to create multiple user accounts on the web console
device and there are two types of accounts: Administrator and
Operator. Furthermore, it is also possible for multiple users
to be connected to this device concurrently. The initial user
connection gets read/write access to the console, and any
subsequent connections get read-only access. One would think
that operator accounts would have limited privileges, but this
is not the case. Operators can do anything to the SWC device
that administrators can do (reboot the device, etc.)

We were considering implementing these devices on
some of our remote HP9000 servers, so we were testing a SWC in
our lab. We found that an operator can reboot the console
while any other users are connected (including root). As would
happen with a regular console device, any logins remain
active. So whoever reconnects first to the SWC captures the
active session (which in our testing allowed an operator
to hijack root's session). What's worse, if the server is
in Service mode, anyone who has an account on the SWC
(administrators AND operators) can perform CTRL+B and reboot
the server.

Any HP system administrators who consider implementing this
ill-conceived piece of equipmement do so at their own risk...


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault