[LACNIC/Seguridad] Conectividad e2e (Fwd: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders...)

Fernando Gont fernando en gont.com.ar
Mar Ene 10 11:18:36 BRST 2012 

Estimados,

Mas que probable que hayan leido estos advisories sobre impresoras HP
(ver debajo), los cual nos vuelve a llevar a nuestra interminable
discusión/flame-war :-) sobre conectividad e2e, etc.

Este es un simple ejemplo en en cual un filtro estilo "solo se admiten
conexiones salientes" podria prevenir que las impresoras sean own'eadas.

En un mundo "internet of things", probablemente también podría evitar
que en muchos casos se puedan realizar ataques similares contra "la
heladera" ("viejo, se nos pudrieron las naranjas porque nos hackearon la
heladera" sort of thing :-) ), y dispositivos varios, etc.

A falta de termino para describir la (IMO, correcta) motivación de
quienes despliegan dispositivos que rompen la mencionada conectividad
extremo a extremo por motivos de seguridad, me atrevo a coin'ear el
"Primer principio de Johansson": "I don't like that kind of connection:
it's too connected" [1]

[1] http://youtu.be/fgdujfwSjXw

P.S.: Para evitar que se hagan interpretaciones incorrectas: Lo de
arriba no tiene nada que ver con CGN. Si te quisieron vender un CGN con
el argumento de seguridad, haz un bien a la comunidad, y denuncialos. :-)

Saludos,
Fernando




-------- Original Message --------
Subject: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP
Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
Date: Mon,  9 Jan 2012 09:09:45 -0500 (EST)
From: security-alert en hp.com
To: bugtraq en securityfocus.com

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03102449
Version: 3

HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital
Senders, Remote Firmware Update Enabled by Default

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2011-11-30
Last Updated: 2012-01-09

Potential Security Impact: Remote firmware update enabled by default

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP
printers and HP digital senders. The vulnerability could be exploited
remotely to install unauthorized printer firmware.

References: CVE-2011-4161

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
 below for a list of impacted products.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2011-4161    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

Note: For further information on Secure Printing and Imaging please
refer to http://www.hp.com/go/secureprinting

Remote Firmware Update (RFU): The Remote Firmware Update (RFU) feature
is enabled by default. A firmware update can be sent remotely to port
9100 without authentication. This could allow unauthorized modification
of the device firmware. The unauthorized firmware could impact the
confidentiality and integrity of data sent to and received from the
device. The unauthorized firmware could also cause a Denial of Service
(DoS) to the device.

RESOLUTION
The following steps can be taken to avoid unauthorized firmware updates:

Update the firmware to a version that implements code signing
Disable the Remote Firmware Update

The code signing feature verifies that firmware updates are properly
signed. This will prevent the installation of invalid firmware updates.

Note: A firmware update may be required to allow the RFU to be disabled
or to implement code signing. Code signing is not available on all the
affected devices. Please refer to the following table.

Product
 Firmware Update Required to Allow Disabling RFU
 Firmware Update Required for Code Signing

HP LaserJet Enterprise 500 color M551
 No update required
 No update required

HP LaserJet Enterprise 600 M601
 No update required
 No update required

HP LaserJet Enterprise 600 M602
 No update required
 No update required

HP LaserJet Enterprise 600 M603
 No update required
 No update required

HP Color LaserJet CM1312 Multifunction Printer
 20111209 or later
 Code signing not available

HP LaserJet Pro CM1415 Color Multifunction Printer
 20111215 or later
 No update required

HP Color LaserJet CP1510
 20111209 or later
 Code signing not available

HP LaserJet M1522 Multifunction Printer
 20111212 or later
 Code signing not available

HP LaserJet Pro CP1525 Color Printer
 20111215 or later
 No update required

HP LaserJet Pro M1536 Multifunction Printer
 20111215 or later
 No update required

HP Color LaserJet CP2025
 20111208 or later
 Code signing not available

HP LaserJet P2035
 20111213 or later
 Code signing not available

HP LaserJet P2055
 20111214 or later
 Code signing not available

HP Color LaserJet CM2320 Multifunction Printer
 20111209 or later
 Code signing not available

HP LaserJet M2727 Multifunction Printer
 20111212 or later
 Code signing not available

HP Color LaserJet 3000
 No update required
 Code signing not available

HP LaserJet P3005
 No update required
 Code signing not available

HP LaserJet Enterprise P3015
 No update required
 20011213 07.130.0B or later

HP LaserJet M3027 Multifunction Printer
 No update required
 20111212 48.240.0B or later

HP LaserJet M3035
 No update required
 20111212 48.240.0B or later

HP Color LaserJet CP3505
 No update required
 Code signing not available

HP Color LaserJet CP3525
 No update required
 20111212 06.130.0B or later

HP Color LaserJet CM3530
 No update required
 20111213 53.170.1B or later

HP Color LaserJet 3800
 No update required
 Code signing not available

HP Color LaserJet CP4005
 No update required
 Code signing not available

HP LaserJet P4014
 No update required
 20111214 04.160.2B or later

HP LaserJet P4015
 No update required
 20111214 04.160.2B or later

HP LaserJet 4240
 No update required
 Code signing not available

HP LaserJet 4250
 No update required
 Code signing not available

HP LaserJet M4345 Multifunction Printer
 No update required
 20111212 48.240.0B or later

HP LaserJet 4350
 No update required
 Code signing not available

HP LaserJet P4515
 No update required
 20111214 04.160.2B or later

HP Color LaserJet Enterprise CP4525
 No update required
 20111213 07.110.2B or later

HP Color LaserJet Enterprise CM4540 Multifunction Printer
 No update required
 No update required

HP LaserJet Enterprise M4555 Multifunction Printer
 No update required
 No update required

HP Color LaserJet 4700
 No update required
 Code signing not available

HP Color LaserJet 4730 Multifunction Printer
 No update required
 Code signing not available

HP Color LaserJet CM4730 Multifunction Printer
 No update required
 20111212 50.220.1B or later

HP LaserJet M5025 Multifunction Printer
 No update required
 20111212 48.240.0B or later

HP LaserJet M5035 Multifunction Printer
 No update required
 20111212 48.240.0B or later

HP LaserJet 5200L
 No update required
 20111214 08.180.1B or later

HP LaserJet 5200N
 No update required
 20111214 08.180.1B or later

HP Color LaserJet Professional CP5225 Printer
 20111206 or later
 Code signing not available

HP Color LaserJet CP5525
 No update required
 No update required

HP Color LaserJet 5550
 No update required
 Code signing not available

HP Color LaserJet CP6015
 No update required
 20111212 04.150.0B or later

HP Color LaserJet CM6030
 No update required
 20111212 52.190.1B or later

HP Color LaserJet CM6040
 No update required
 20111212 52.190.1B or later

HP CM8060 Color Multifunction Printer with Edgeline
 No update required
 Code signing not available

HP LaserJet 9040
 No update required
 20111213 08.220.1B or later

HP LaserJet M9040 Multifunction Printer
 No update required
 20111212 51.190.1B or later

HP LaserJet 9050
 No update required
 20111213 08.220.1B or later

HP LaserJet M9050 Multifunction Printer
 No update required
 20111212 51.190.1B or later

HP 9200c Digital Sender
 No update required
 Code signing not available

HP 9250c Digital Sender
 No update required
 20111219 48.230.0B or later

HP Color LaserJet 9500
 No update required
 Code signing not available

How to Disable the Remote Firmware Update (RFU)

For instructions about how to disable the RFU please refer to the
following document: Configuring Remote Firmware Update on HP Printers
and Multifunction Devices

The document is available using ftp:

ftp.usa.hp.com
account: sb02728
password: Secure12

or

ftp://sb02728:Secure12@ftp.usa.hp.com/

File name: Configuring Remote Firmware Update on HP Printing Devices.pdf

How to Download a Firmware Update

The table above contains links for required firmware updates. Firmware
updates for any of the products can also be downloaded as follows.

Browse to www.hp.com/go/support then:

Select "Drivers & Software"
Enter the product name listed in the table above into the search field
Click on "Search"
If the search returns a list of products click on the appropriate product
Under "Select operating system" click on "Cross operating system (BIOS,
Firmware, Diagnostics, etc.)"
If the "Cross operating system ..." link is not present, select any
Windows operating system from the list.
Select the appropriate firmware update under "Firmware"

HISTORY
Version:1 (rev.1) - 30 November 2011 Initial release
Version:2 (rev.2) - 23 December 2011 Code signing firmware available
Version:3 (rev.3) - 9 January 2012 Combined tables

Third Party Security Patches: Third party security patches that are to
be installed on systems running HP software products should be applied
in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this
Security Bulletin, contact normal HP Services support channel.  For
other issues about the content of this Security Bulletin, send e-mail to
security-alert en hp.com.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert en hp.com

Subscribe: To initiate a subscription to receive future HP Security
Bulletin alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430

Security Bulletin Archive: A list of recently released Security
Bulletins is available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented
in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is
provided "as is" without warranty of any kind. To the extent permitted
by law, neither HP or its affiliates, subcontractors or suppliers will
be liable for incidental,special or consequential damages including
downtime cost; lost profits;damages relating to the procurement of
substitute products or services; or damages for loss of data, or
software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks of
Hewlett-Packard Company in the United States and other countries. Other
product and company names mentioned herein may be trademarks of their
respective owners.

Más información sobre la lista de distribución Seguridad