-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: Security Advisory 2011-0023 Title: HP Printers and Digital Senders Remote Security Bypass Vulnerability Version History: 02/12/2011 Initial Publication. Summary ======= HP Printers and Digital Senders are prone to a security-bypass vulnerability leading to the installation of a malicious firmware [1]. No fix is available but a workaround is provided by the vendor. An exploit exists but the code is not publicly available. CVE-2011-4161 Severity Level [3] CVSS2 Base 10 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential Impact ================ An attacker may leverage this issue to bypass certain security restrictions and remotely install unauthorised printer firmware. 1. An attacker locates a vulnerable HP Printer or Digital Sender. 2. The attacker sends a crafted request to TCP port 9100 to update the device with malicious firmware. 3. The device fails to authenticate the attacker and updates the firmware as requested. The malicious firmware may lead to the disclosure and/or malicious update of data sent to and received from the device and eventually to a Denial of Service (DoS) to the device. The attack can also be used to introduce a compromised and under-controlled system and carry out further attacks in the network. Vulnerable systems ================== HP Color LaserJet 3000 HP Color LaserJet CM6040 HP Color LaserJet CP3525 HP Color LaserJet CP5525 HP Color LaserJet CM4730 MFP HP Color LaserJet CP3505 HP Color LaserJet CP4005n HP Color LaserJet CP6015 HP Color LaserJet Enterprise CP4520 HP Color LaserJet Enterprise CP4525 HP Digital Sender 9250c HP Digital Sender 9200C HP LaserJet 5200 HP LaserJet M5035 HP LaserJet M9050 HP LaserJet 4240 HP LaserJet 4250 HP LaserJet 4345 MFP HP LaserJet 4350 HP LaserJet 9040 HP LaserJet 9050 HP LaserJet Enterprise 500 color M551 HP LaserJet Enterprise 600 M601 HP LaserJet Enterprise 600 M602 HP LaserJet Enterprise 600 M603 HP LaserJet Enterprise M4555 MFP HP LaserJet Enterprise P3015 HP LaserJet M9040 HP LaserJet P3005 HP LaserJet P4014 HP LaserJet P4015 HP LaserJet P4515 Short Summary What can you do ? ================= Solutions: No patch available from the vendor. The vendor recommends disabling the 'Printer Firmware Update' setting. Please see the vendor advisory for more information[1][2]. Work-arounds: Block external access at the network boundary unless external parties require service. If global access isn't needed filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit. What to tell your users ? ========================= No impact on the user. This advisory is meant for administrator. More information ================ [1] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449 [2] http://h71028.www7.hp.com/enterprise/downloads/HP-Imaging10.pdf [3] CVSS Details CVSS Version 2 Scores CVSS2 Base 10 CVSS2 Temporal 9 CVSS2 Base Vector AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS2 Temporal VectorE:F/RL:W/RC:C More information about CVSS is available at http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP; KeyID; 0; x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO2NOFOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MtGw/6Avnul2Dj KDVnZW3lxPlqKF5jwRbRRlrvEgDuSekyKOVgV4EVg0Z5P+p0aCAY30sBaXoxFhzU 3j0YSRSgKMWd6mv8BabXtxYVwwsY53cFSus4fQUWyaBeIY0XMV7sEtjrZ/G+eh14 +o333mWJGgezgVZ0obH6TQef0c1tM2mhIBVhW1rP4ItkDzOrtrdi79SQEETFSr3i 5vqe5Zdhpbchyx+K1KFSLsYuaZhMmDhLgP7wJ5ImcUWM6wiZd7itclXcim/fVLpR YUZjCXmJzQAR2oMu60k7JnM95Cyjl0NxioyzxY8DzvZKNEO/Ki1w41adn67iQfoo 4/a/s27aoatnWYFYk9efOij3xh1P2g6iPwoXoDt5e/MaKJ6Xi/v8UVmts7Ob//NU wElyJTorar+XKlMtrwEun+b5VR1oR2LkUO+oOEPk/SIPJJEQmgU/CkBNDTUF2AN7 2NarwD9DsLRn6PT+7ME5lXLL/+EG91AN4F+ZVcvR6cc/HLsW3XNUN5XXlMXSnd3n uAxGfkQ0CGw2DiDOZcqtTL/+noD/T1bENnk2tFyY8eY9nD8MdQywK6BAkD3v+uBA 0QZ9wIj9gGfjt9zHdGEK/G1//xddZ8WvReI9MfMjayTkzfB8nlKt1Kw8Yj/cpNFW HHdmwdIZNHO5zUaIG9WtQxd3iot3ixb8h1Y= =iHZc -----END PGP SIGNATURE-----