Multiple HP products contain a flaw that may lead to an unauthorized disclosure of a router user password. The issue is due to the h3c-user.mib and hh3c-user.mib have read-create access to the following objects within the (h)h3cUserInfoEntry sequence: (h)h3cUserName, (h)h3cUserPassword, (h)h3cAuthMode, and (h)h3cUserLevel. If an attacker has the SNMP public community string then s/he has the ability to view these entries. The (h)h3cUserPassword can be configured in a variety of ways, including cleartext, or stored with SHA-256 encryption. The presence of SHA-256 is a relatively recent addition to routers, so many of the deployed devices may have passwords in plaintext.

The vendor has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section. There are no known workarounds or upgrades to correct this issue.

• Security Tracker: 1027694
• CVE ID: 2012-3268 (see also: NVD)
• CERT VU: 225404
• Secunia Advisory ID: 51081
• Other Advisory URL: http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
• Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03620801/c03620801.pdf
• Mail List Post: http://seclists.org/nmap-dev/2012/q4/att-155/snmp-hh3c-logins.nse
• Vendor Specific Advisory URL: http://support.huawei.com/enterprise/NewsReadAction.action?newType=0301&contentId=NEWS1000001069&idAbsPath=0301_10001&nameAbsPath=Services%2520News
  http://support.huawei.com/support/pages/news/NewsInfoAction.do?doc_id=IN0000054625&colID=ROOTENWEB|CO0000000170&actionFlag=view
  http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-197483.htm
  https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03515685&ac.admitted=1351003973274.876444892.492883150

• Kurt Grutzmacher
• CERT/CC - Cert/CC