Unauthenticated HP/Aruba Networks Switches

Hey there, here’s a quick bit of info about switches that are currently unauthenticated and serving traffic all over the place.

The Shodan dork for these is: https://www.shodan.io/search?query=eHTTP

Note that most do have authentication, and this write up focuses on ones that have no auth. I have identified 850+ switches that are currently unauthenticated on the web UI.

There are three versions of the web UI that are accessible from port 80. The web UI may be configured to use a different port, so it’s worth checking scan results.

/html/nhome.html is the classic version of the Web UI 
/nextgen/ui/index.html is the newer version of the Web UI
/home.html is the older Java based version, under the Procurve label

Because they have no authentication, there are no intrusion / security events that show up in logs. These switches can be easily reconfigured from the Web UI, or via telnet.

From telnet, an attacker could do a number of things from this switch, from redirecting traffic / ports, to serving malware, to pivoting within the network that the switches live in.

Solutions

If you must have your switches connected to the internet in such a way, here are some steps you can take to secure them.

Set a username and password! For both the telnet and web UI. You can do this over telnet via the system-view command password.

Disable the web UI! If you don’t need the Web UI, then disable it. You can do this via the system-view command web-management.

You can also enable various logging mechanisms for your switch via the command line. If you find that you are unable to telnet into your switch, just reboot via the web UI and telnet in.

A full guide to setting up and securing your switch can be found here