Bugtraq mailing list archives
Re: HP Secure Web Console
From: MGross () DELTA ORG (Mark Gross DSO)
Date: Wed, 1 Dec 1999 11:38:24 -0800
-----Original Message----- From: Jon Mitchell [mailto:jrm () FREEDOM SWC COM] Sent: Wednesday, December 01, 1999 7:06 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: HP Secure Web Console The Secure Web Console is a device that looks (and acts) like a JetDirect printserver. It has one ethernet port and one serial port. The idea behind it is that you can connect your console cable from your HP9000 machine to this device and put it on the network. This way you can connect to your HP9000's via a web browser so remote access to the console is easy. Since this is actual console access you could potentially do upgrades or reboots into single user mode safely from this device without being onsite. The problem with this device is the word Secure in the name. This implies that this device is providing secure access from the network.
The
information on this devices web site http://www.hp.com/go/webconsole states that it currently uses MD5 user digest as the encryption scheme and
There is an even more gaping security hole in HP's SWC product. It is possible to create multiple user accounts on the web console device and there are two types of accounts: Administrator and Operator. Furthermore, it is also possible for multiple users to be connected to this device concurrently. The initial user connection gets read/write access to the console, and any subsequent connections get read-only access. One would think that operator accounts would have limited privileges, but this is not the case. Operators can do anything to the SWC device that administrators can do (reboot the device, etc.) We were considering implementing these devices on some of our remote HP9000 servers, so we were testing a SWC in our lab. We found that an operator can reboot the console while any other users are connected (including root). As would happen with a regular console device, any logins remain active. So whoever reconnects first to the SWC captures the active session (which in our testing allowed an operator to hijack root's session). What's worse, if the server is in Service mode, anyone who has an account on the SWC (administrators AND operators) can perform CTRL+B and reboot the server. Any HP system administrators who consider implementing this ill-conceived piece of equipmement do so at their own risk...
Current thread:
- HP Secure Web Console Jon Mitchell (Dec 01)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- UnixWare gain root with non-su/gid binaries Brock Tellier (Dec 03)
- UnixWare read/modify users' mail Brock Tellier (Dec 03)
- UnixWare and the dacread permission Brock Tellier (Dec 03)
- Apologies for wierd email Brock Tellier (Dec 05)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console David Zverina (Dec 02)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- <Possible follow-ups>
- Re: HP Secure Web Console Mark Gross DSO (Dec 01)
- Re: HP Secure Web Console Randal L. Schwartz (Dec 06)
- Re: HP Secure Web Console Thillmann, Rolf (Dec 28)