HP Ships Switches With Malware Infected Flash Cards

wiredmikey writes "HP has warned of a security vulnerability associated with its ProCurve 5400 zl switches that contain compact flash cards that the company says may be infected with malware. The company warned that using one of the infected compact flash cards in a computer could result in the system being compromised. According to HP, the potential threat exists on HP 5400 zl series switches purchased after April 30, 2011 with certain serial numbers listed in the security advisory. This issue once again brings attention to the security of the electronics supply chain, which has been a hot topic as of late."

Isit made in CHina?

[Spy Handler]

is it?

Flash Card Imager Minted in Redmond...

[IBitOBear]

You don't have to have the hardware made over seas if you home your firmware god-copies on an american made petri dish.

(obligatory windowz suxors reference, proving that anything can be turned into a partisan rant. 8-)

Paging Quality control

[Anonymous Coward]

Hello? Quality Control? Are you there?

Re:

[sunderland56]

That's not completely fair. QC's main function is to make sure the product works as advertised - and the switch does work correctly. It just has a few extra files on an internal bit of memory - not visible to the outside world in normal product use.

This sounds more like a failure in the manufacturing process - either (a) the malware was on the golden copy that was generated by HP (which would be an engineering failure made in the USA), or (b) the malware got added by the fabrication house (which would be

Re:

[Darinbob]

As this sounds, problems only occur if you take the compact flash out of the switches and use them with a computer which could be infected by the malware (ie, a pc). The switch itself is not damaged by the malware, it's just an extra file that is ignored by the firmware.

Re:

[Anonymous Coward]

It could have been worse, the flash card could have been infected with their new printer OS, the switch would keep asking you for a new Ethernet cable even though you just installed a fresh one and boot up time would last 10-20 minutes as it cycled all the status lights 100 times just to make sure they are working then would require a bloated software program to work, only to find out the windows 7 computers won't work with the switch half the time because of the software. And if your lucky the switch won't

Re:

[gl4ss]

yep it's there. but quality control is just "do all the stuff that was on the document" so nobody can be blamed.

Time Zones

[ThatsNotPudding]

Hello? Quality Control? Are you there?

Not yet; you have to remember the time difference when calling Shenzhen.

Re:

[DickBreath]

> Hello? Quality Control? Are you there?

This is a huge failure of the Chinese quality control. If they had done everything right, this malware would have gone undetected.


--
All that is necessary for Apple to triumph is for Google men to do nothing.

You say malware...

[samazon]

The lack of detail regarding the malware (I keep typing maleware for some reason?) makes me want to jump to conclusions. The most fun one has to do with a bored programming intern and pornography, the least interesting is "they screwed something up and are blaming it on someone else."

likely the system the loads the image has malware

[Joe_Dragon]

likely the system the loads the image has malware on it and it loads a fat file system and it's running windows with malware that auto copy and installs it self to any disk that it sees

Spoiler alert!!

[Skapare]

Parent post spoiled this whole thread by giving away the suspenseful ending.

Not to double post...

[samazon]

"The flash card wouldn't do anything on the switch itself but "reuse of an infected compact flash card in a personal computer could result in a compromise of that system's integrity," HP warned in a bulletin issued on Tuesday." http://www.theregister.co.uk/2012/04/11/hp_ships_malware_cards_with_switches_oops/ [theregister.co.uk] I think is a LOT more concise and explanatory of the issue.

Re:

[quarmar]

The switches probably run Linux internally, so the malware wasn't noticed by QA. Take the card out of a switch and stick it in your Windows PC, and the issue surfaces.

Re:

[Anonymous Coward]

Dude. I work at HP. That firmware has been in use since at least the mid '90s. I can tell you for a fact that it runs Slackware.

Re:

[jaymemaurice]

What? is VxWorks dead?!

Re:

[Sponge Bath]

So the HP warning supposes:
1. Average Joe employee has physical access to the switches.
2. AJ will be motivated to make off with a component from the switches.
3. AJ will happily stick the purloined part into a Windows PC.
4. The Windows PC will auto play the contents.

That sounds about right.

Re:

[jaymemaurice]

I could see some IT guy sticking the flash card into an win2k or XP machine to duplicate it onto another card. Maybe an old laptop that they kept burried in a drawer in their datacenter because it has a serial port...

How much does that cost?

[it0]

Malware sure is expensive these days!

Remeber kids, the best things in live are for free

Re:

[couchslug]

The fact they don't want to kill their host.

Re:

[drnb]

In the future, whats to stop China from controlling everyone's infrastructure if we rely on them to manufacture everything?

The fact they don't want to kill their host.

Wrong analogy. Replace "host" with "goose that laid the golden egg". The goose is expendable and/or replaceable.

Re:

[AlienIntelligence]

Wrong analogy. Replace "host" with "goose that laid the golden egg". The goose is expendable and/or replaceable.

Citation Please.

-AI

Increase in bashed-in heads seen in hospitals....

[rts008]

I have admiration and sympathy for IT shops that truly try to set up and maintain a secure, productive network. At times, it must seem that EVERYONE and everything are working against you, and your just bashing your head against a wall.

A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

Re:

[Anonymous Coward]

A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

RTFA or do not post. It was a freaking cheapo flash card from the pachinko loona electric corp .tw that is the problem. You can bet that HP got them dirt cheap. The switch itself is not the problem as the firmware just reads the MS fat file system that the flash card uses and no doubt just stores log data and the like on an external flash. I can just as easily put that same infected flash card on my Linux firmware TV or blueray player and not have problems or even stick into my laptop (which runs Linux) an

Re:

[fuzzyfuzzyfungus]

Honestly, I'd be more worried about the fact that my not-at-all-cheap(and in many environments, not redundant, except at key points, definitely not for individual workstations) switches are booting from a dirt cheap flash card that's had its image loaded with verification so lousy that it missed the viral payload...

I've have a fair number of cheap and nasty flash cards die on me, and that'd be a whole lot more annoying if there were a few grand worth of switch wrapped around the card when it happened(tho

Re:

[jaymemaurice]

I would have thought part of the manufacturing process would have been dd-ing the card with a fresh layout... forget they are cheap cards - electronic parts are cheap, especially in wholesale and the fact your Alcatel/Cisco/Procurve hardware probably got their $.00001 resistors and surface mount diodes from the same place. ... nothing should have survived the write / verify of the media during their final manufacturing/QA process.

Re:

[rts008]

RTFA or do not post. It was a freaking cheapo flash card from the pachinko loona electric corp .tw that is the problem.

Well, I did RTFA.

So, are you saying that a flash card is not part of the hardware? Is the card software or firmware, or is actually a piece of hardware?
Did not HP supply this 'cheapo flash card' with the switch?

So, really, just what is your objection to my comment?

Increase your level of education and improve your reading comprehension to at least a high-school level, or do not post. ;-)

Re:

[cosm]

A ready made, turn-key botnet slave in a box, direct from your hardware vendor! Oh Joy! ;-)

If you had made last Tuesdays' 2:30 you'd have known that this is a new solution from our vendor to provide ubiquitous control and synergistic integration!

Does HP...

[crutchy]

...still exist!?

Re:

[perpenso]

Does HP still exist!?

The sign and logo are still in use.

Not sure whats worse...

[papasui]

having your machines infected with the virus or having spent money on a HP layer 3 switch.

Re:

[jaymemaurice]

My exprience with procurves must have been very different then yours. You must not be doing multicast, care when the switch decides not to switch packet, or when the switch keeps forgetting its cam table. You also must not be changing vlans through SNMP, have a large number of vlans, or enjoy a proper CLI.
For the price, you should be able to get better gear.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cbope]

I run a 16-port Gigabit HP ProCurve switch at home, because I was tired of the crappy quality of consumer-level, "disposable" switches. It's built like a tank and has throughput numbers far higher than consumer-level gear, plus I don't need to worry about either the switch failing after 1.5 years of 24/7 operation, like consumer gear. I have had failures from every major consumer brand of switch or router over the past 12 years or so, D-Link, Netgear, Linksys, etc. I expect my HP switch to last at least 10

3 CEOs in as many years

[gelfling]

How's that working out? Hewlett and Packard would cry if they came back to see what you've done to their baby.