Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Ships Switches With Malware Infected Flash Cards

Posted by samzenpus on from the bad-switches dept.

wiredmikey writes "HP has warned of a security vulnerability associated with its ProCurve 5400 zl switches that contain compact flash cards that the company says may be infected with malware. The company warned that using one of the infected compact flash cards in a computer could result in the system being compromised. According to HP, the potential threat exists on HP 5400 zl series switches purchased after April 30, 2011 with certain serial numbers listed in the security advisory. This issue once again brings attention to the security of the electronics supply chain, which has been a hot topic as of late."

50 comments

  1. Isit made in CHina? by Spy+Handler · · Score: 3, Interesting

    is it?

  2. Paging Quality control by Anonymous Coward · · Score: 5, Insightful

    Hello? Quality Control? Are you there?

    1. Re:Paging Quality control by sunderland56 · · Score: 2

      That's not completely fair. QC's main function is to make sure the product works as advertised - and the switch does work correctly. It just has a few extra files on an internal bit of memory - not visible to the outside world in normal product use.

      This sounds more like a failure in the manufacturing process - either (a) the malware was on the golden copy that was generated by HP (which would be an engineering failure made in the USA), or (b) the malware got added by the fabrication house (which would be a supplier failure, but should have been caught by US engineering when they verified the first production samples).

    2. Re:Paging Quality control by Anonymous Coward · · Score: 0

      I could easily see one created that only goes viral after a random interval.
      The start up mode would provide no real clue to the intended payload.

      Looks like those old 3Com switches are going to be even more valuable.

      jr

    3. Re:Paging Quality control by Darinbob · · Score: 1

      As this sounds, problems only occur if you take the compact flash out of the switches and use them with a computer which could be infected by the malware (ie, a pc). The switch itself is not damaged by the malware, it's just an extra file that is ignored by the firmware.

    4. Re:Paging Quality control by Anonymous Coward · · Score: 1

      It could have been worse, the flash card could have been infected with their new printer OS, the switch would keep asking you for a new Ethernet cable even though you just installed a fresh one and boot up time would last 10-20 minutes as it cycled all the status lights 100 times just to make sure they are working then would require a bloated software program to work, only to find out the windows 7 computers won't work with the switch half the time because of the software. And if your lucky the switch won't randomly drop the static IP assigned to it for god knows what reason.

      Trust me it could have been worse, alot worse.

    5. Re:Paging Quality control by gl4ss · · Score: 1

      yep it's there. but quality control is just "do all the stuff that was on the document" so nobody can be blamed.

      --
      world was created 5 seconds before this post as it is.
    6. Re:Paging Quality control by DickBreath · · Score: 1

      > Hello? Quality Control? Are you there?

      This is a huge failure of the Chinese quality control. If they had done everything right, this malware would have gone undetected.


      --
      All that is necessary for Apple to triumph is for Google men to do nothing.

      --

      I'll see your senator, and I'll raise you two judges.
  3. You say malware... by samazon · · Score: 3, Interesting

    The lack of detail regarding the malware (I keep typing maleware for some reason?) makes me want to jump to conclusions. The most fun one has to do with a bored programming intern and pornography, the least interesting is "they screwed something up and are blaming it on someone else."

    --
    I have the hiccups.
  4. Not to double post... by samazon · · Score: 4, Informative

    "The flash card wouldn't do anything on the switch itself but "reuse of an infected compact flash card in a personal computer could result in a compromise of that system's integrity," HP warned in a bulletin issued on Tuesday." http://www.theregister.co.uk/2012/04/11/hp_ships_malware_cards_with_switches_oops/ I think is a LOT more concise and explanatory of the issue.

    --
    I have the hiccups.
    1. Re:Not to double post... by quarmar · · Score: 1

      The switches probably run Linux internally, so the malware wasn't noticed by QA. Take the card out of a switch and stick it in your Windows PC, and the issue surfaces.

    2. Re:Not to double post... by Sponge+Bath · · Score: 1

      So the HP warning supposes:
      1. Average Joe employee has physical access to the switches.
      2. AJ will be motivated to make off with a component from the switches.
      3. AJ will happily stick the purloined part into a Windows PC.
      4. The Windows PC will auto play the contents.

      That sounds about right.

    3. Re:Not to double post... by Anonymous Coward · · Score: 0

      Probably their whole QA department has the virus though. ;-)

    4. Re:Not to double post... by Anonymous Coward · · Score: 0

      Yeah, I hear it's Ubuntu-like, the linux on there. Ciscos run something closer to RH-like (or openwrt-like), I hear, and the HPs run linux. It's taken the whole RH-vs-Debian rivalry to a whole new level at the sweatshop.

    5. Re:Not to double post... by Anonymous Coward · · Score: 2, Informative

      Dude. I work at HP. That firmware has been in use since at least the mid '90s. I can tell you for a fact that it runs Slackware.

    6. Re:Not to double post... by Anonymous Coward · · Score: 0

      Not wanting to ruin the buzz, I strongly belive that my procurve runs ecos (http://en.wikipedia.org/wiki/ECos) with of course something on top.

    7. Re:Not to double post... by jaymemaurice · · Score: 1

      What? is VxWorks dead?!

      --
      120 characters ought to be enough for anyone
    8. Re:Not to double post... by jaymemaurice · · Score: 1

      I could see some IT guy sticking the flash card into an win2k or XP machine to duplicate it onto another card. Maybe an old laptop that they kept burried in a drawer in their datacenter because it has a serial port...

      --
      120 characters ought to be enough for anyone
  5. How much does that cost? by it0 · · Score: 4, Funny

    Malware sure is expensive these days!

    Remeber kids, the best things in live are for free

  6. likely the system the loads the image has malware by Joe_Dragon · · Score: 2

    likely the system the loads the image has malware on it and it loads a fat file system and it's running windows with malware that auto copy and installs it self to any disk that it sees

  7. The future looks grim by Anonymous Coward · · Score: 0

    In the future, whats to stop China from controlling everyone's infrastructure if we rely on them to manufacture everything?

    1. Re:The future looks grim by couchslug · · Score: 1

      The fact they don't want to kill their host.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    2. Re:The future looks grim by drnb · · Score: 1

      In the future, whats to stop China from controlling everyone's infrastructure if we rely on them to manufacture everything?

      The fact they don't want to kill their host.

      Wrong analogy. Replace "host" with "goose that laid the golden egg". The goose is expendable and/or replaceable.

    3. Re:The future looks grim by AlienIntelligence · · Score: 1

      Wrong analogy. Replace "host" with "goose that laid the golden egg". The goose is expendable and/or replaceable.

      Citation Please.

      -AI

      --
      For me, it is far better to grasp the Universe as it really is than to persist in delusion
  8. Increase in bashed-in heads seen in hospitals.... by rts008 · · Score: 3, Interesting

    I have admiration and sympathy for IT shops that truly try to set up and maintain a secure, productive network. At times, it must seem that EVERYONE and everything are working against you, and your just bashing your head against a wall.

    A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  9. Spoiler alert!! by Skapare · · Score: 1

    Parent post spoiled this whole thread by giving away the suspenseful ending.

    --
    now we need to go OSS in diesel cars
  10. Not a problem by Anonymous Coward · · Score: 0

    HP, GE, Dell, Apple, etc. join the list of companies like IBM. IBM showed once before that profits go ahead of morals or loyalty. And it continues to this day.

  11. Does HP... by crutchy · · Score: 1

    ...still exist!?

    1. Re:Does HP... by perpenso · · Score: 1

      Does HP still exist!?

      The sign and logo are still in use.

    2. Re:Does HP... by Anonymous Coward · · Score: 0

      Yeah, I think they were taken over by Compaq years ago...

  12. Re:IS IT made in...? by Anonymous Coward · · Score: 0

    It's unclear how the unknown malware got onto the Flash cards that come bundled with the 10 Gbps-capable line of LAN switches, but an infected computer somewhere in the manufacturing process – possible in a factory run by a third-party supplier – is the most obvious suspect.

    Regardless of where 'it's' made, it's still HP's baby... Where do I sign up for the class action suit?

  13. Re:Increase in bashed-in heads seen in hospitals.. by Anonymous Coward · · Score: 1

    A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

    RTFA or do not post. It was a freaking cheapo flash card from the pachinko loona electric corp .tw that is the problem. You can bet that HP got them dirt cheap. The switch itself is not the problem as the firmware just reads the MS fat file system that the flash card uses and no doubt just stores log data and the like on an external flash. I can just as easily put that same infected flash card on my Linux firmware TV or blueray player and not have problems or even stick into my laptop (which runs Linux) and still not have anything to worry about. However if I stick into a Windows PC like a default XP reinstall with autorun turned on it is a different story.

    The moral of the story is HP is cheap and once again they are reselling product from sources that they should more closely monitor. After all it is the responsibility of HP, Dell, IBM, Lenovo and all the manufactures that sell systems to make sure that Windows systems are safe... not Microsoft ;-) The very fact that malware like this still exists and can infect a system tells me that the more older Windows XP systems that get infected the happier Microsoft is.

  14. Flash Card Imager Minted in Redmond... by IBitOBear · · Score: 1

    You don't have to have the hardware made over seas if you home your firmware god-copies on an american made petri dish.

    (obligatory windowz suxors reference, proving that anything can be turned into a partisan rant. 8-)

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press
  15. Not sure whats worse... by papasui · · Score: 1

    having your machines infected with the virus or having spent money on a HP layer 3 switch.

    1. Re:Not sure whats worse... by Anonymous Coward · · Score: 0

      What's wrong with HP L3 switches? I maintain a few 8212zls, and have no issues with them.

    2. Re:Not sure whats worse... by DigiShaman · · Score: 1

      HP ProCurve switches are among the best the industry has to offer. Not all gigabit switches are the same. Reliability, warranty, support, and internal throughput are all important aspects when choosing a switch.

      --
      Life is not for the lazy.
    3. Re:Not sure whats worse... by cbope · · Score: 1

      I run a 16-port Gigabit HP ProCurve switch at home, because I was tired of the crappy quality of consumer-level, "disposable" switches. It's built like a tank and has throughput numbers far higher than consumer-level gear, plus I don't need to worry about either the switch failing after 1.5 years of 24/7 operation, like consumer gear. I have had failures from every major consumer brand of switch or router over the past 12 years or so, D-Link, Netgear, Linksys, etc. I expect my HP switch to last at least 10 years if not longer.

      Unlike their computer division, HP's networking division still makes quality gear. Too bad they will get some bad press for this, although I can see how something like this can happen as it appears the virus is Windows-based and would not be detected during switch manufacturing, unless the switch was running embedded Windows. I would almost bet it's a supplier infection, where the CF cards were tested or programmed on an infected Windows machine and then shipped to HP.

    4. Re:Not sure whats worse... by jaymemaurice · · Score: 1

      My exprience with procurves must have been very different then yours. You must not be doing multicast, care when the switch decides not to switch packet, or when the switch keeps forgetting its cam table. You also must not be changing vlans through SNMP, have a large number of vlans, or enjoy a proper CLI.
      For the price, you should be able to get better gear.

      --
      120 characters ought to be enough for anyone
    5. Re:Not sure whats worse... by Anonymous Coward · · Score: 0

      We use multicast. I haven't struck any of the issues you mentioned, but we only have static VLANs, and there's only about 35 of them. What are the symptoms when your gear forgets the cam table, unicast becoming broadcast?

      I like the CLI - it's way more intuitive than the 3Com crap we used to use.

  16. 3 CEOs in as many years by gelfling · · Score: 1

    How's that working out? Hewlett and Packard would cry if they came back to see what you've done to their baby.

  17. Re:Increase in bashed-in heads seen in hospitals.. by fuzzyfuzzyfungus · · Score: 2

    Honestly, I'd be more worried about the fact that my not-at-all-cheap(and in many environments, not redundant, except at key points, definitely not for individual workstations) switches are booting from a dirt cheap flash card that's had its image loaded with verification so lousy that it missed the viral payload...

    I've have a fair number of cheap and nasty flash cards die on me, and that'd be a whole lot more annoying if there were a few grand worth of switch wrapped around the card when it happened(though I can say from personal 'dding-a-working-card-onto-a-CF-card-from-Staples-to-replace-the-boot-medium-of-$3k-worth-of-Alcatel' experience that HP is hardly the only one that does it).

  18. Is there... by Anonymous Coward · · Score: 0

    Anything HP can't fuck up?

  19. ..which has been a hot topic as of late (ER-UM-AY) by Anonymous Coward · · Score: 0

    This, ladies and germs, is a sure indicator that the person or persons in question, herewithto notwithstanding bridal cardiac infarctions, under penalty of perjurious law and tort, is none other than a cliche'-ridden Freudian-angst suffering closet homsexual transvestite. Like Taco. Where is Taco? I miss my Taco.

    And if OJ can get, so can this guy, ay Judge Judy-Ito?

  20. Re:Increase in bashed-in heads seen in hospitals.. by cosm · · Score: 1

    A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

    If you had made last Tuesdays' 2:30 you'd have known that this is a new solution from our vendor to provide ubiquitous control and synergistic integration!

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  21. Re:Increase in bashed-in heads seen in hospitals.. by jaymemaurice · · Score: 1

    I would have thought part of the manufacturing process would have been dd-ing the card with a fresh layout... forget they are cheap cards - electronic parts are cheap, especially in wholesale and the fact your Alcatel/Cisco/Procurve hardware probably got their $.00001 resistors and surface mount diodes from the same place. ... nothing should have survived the write / verify of the media during their final manufacturing/QA process.

    --
    120 characters ought to be enough for anyone
  22. Time Zones by ThatsNotPudding · · Score: 1

    Hello? Quality Control? Are you there?

    Not yet; you have to remember the time difference when calling Shenzhen.

  23. Re:Increase in bashed-in heads seen in hospitals.. by rts008 · · Score: 1

    RTFA or do not post. It was a freaking cheapo flash card from the pachinko loona electric corp .tw that is the problem.

    Well, I did RTFA.

    So, are you saying that a flash card is not part of the hardware? Is the card software or firmware, or is actually a piece of hardware?
    Did not HP supply this 'cheapo flash card' with the switch?

    So, really, just what is your objection to my comment?

    Increase your level of education and improve your reading comprehension to at least a high-school level, or do not post. ;-)

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti