Hewlett-Packard has been accidentally shipping some of its network switches with compact flash cards that contain malware.
In a security bulletin issued by the company, HP stated that it had identified a potential security vulnerability for certain ProCurve 5400zl series switches that had been purchased after 30 April last year.
The switches contain a compact flash card to store its boot software and configuration files. HP has advised that certain switches shipped with compact flash cards that also contained a virus. While the switches themselves are not affected by the virus, if a user removes the card and accesses it from a computer, it could potentially infect that computer.
In order to address the problem, HP has provided users with a script that can be run by an administrator to perform a "software purge". It will delete the contents of the flash card without having to remove it, and potentially expose a computer to infection. HP's advisory states that it will not affect the operation of the switch, and that it should be run by customers who don't want to experience downtime from removing the flashcard.
Alternatively, users who have affected switches, but don't want to run the script or don't have the switches in operation, and therefore cannot run the script, can apply to have a physical replacement sent to them from HP. HP will send a new management module, which contains the compact flash card, and users will be required to return the affected hardware once their replacement is installed.
HP has not revealed what malware is present on the affected cards, or how it came to be present, but given that HP is not a manufacturer of compact flash cards itself, it may point to a supply chain issue.