[LACNIC/Seguridad] Conectividad e2e (Fwd: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders...)
Christian O'Flaherty
christian.oflaherty en gmail.com
Mar Ene 10 11:32:05 BRST 2012
Hola Fernando,
> P.S.: Para evitar que se hagan interpretaciones incorrectas: Lo de
> arriba no tiene nada que ver con CGN. Si te quisieron vender un CGN con
> el argumento de seguridad, haz un bien a la comunidad, y denuncialos. :-)
>
Con este párrafo se evitan las discusiones.
No tengo problema con el NAT mientras yo pueda controlarlo. Los CGN
eliminan la posibilidad de e2e indiscriminadamente.
El CGN es malo en todo sentido (no solo como solución de seguridad).
Christian
> Saludos,
> Fernando
>
>
>
>
> -------- Original Message --------
> Subject: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP
> Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
> Date: Mon, 9 Jan 2012 09:09:45 -0500 (EST)
> From: security-alert en hp.com <javascript:;>
> To: bugtraq en securityfocus.com <javascript:;>
>
> SUPPORT COMMUNICATION - SECURITY BULLETIN
>
> Document ID: c03102449
> Version: 3
>
> HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital
> Senders, Remote Firmware Update Enabled by Default
>
> NOTICE: The information in this Security Bulletin should be acted upon
> as soon as possible.
>
> Release Date: 2011-11-30
> Last Updated: 2012-01-09
>
> Potential Security Impact: Remote firmware update enabled by default
>
> Source: Hewlett-Packard Company, HP Software Security Response Team
>
> VULNERABILITY SUMMARY
> A potential security vulnerability has been identified with certain HP
> printers and HP digital senders. The vulnerability could be exploited
> remotely to install unauthorized printer firmware.
>
> References: CVE-2011-4161
>
> SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
> Please refer to the RESOLUTION
> below for a list of impacted products.
>
> BACKGROUND
>
> CVSS 2.0 Base Metrics
> ===========================================================
> Reference Base Vector Base Score
> CVE-2011-4161 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
> ===========================================================
> Information on CVSS is documented
> in HP Customer Notice: HPSN-2008-002
>
> Note: For further information on Secure Printing and Imaging please
> refer to http://www.hp.com/go/secureprinting
>
> Remote Firmware Update (RFU): The Remote Firmware Update (RFU) feature
> is enabled by default. A firmware update can be sent remotely to port
> 9100 without authentication. This could allow unauthorized modification
> of the device firmware. The unauthorized firmware could impact the
> confidentiality and integrity of data sent to and received from the
> device. The unauthorized firmware could also cause a Denial of Service
> (DoS) to the device.
>
> RESOLUTION
> The following steps can be taken to avoid unauthorized firmware updates:
>
> Update the firmware to a version that implements code signing
> Disable the Remote Firmware Update
>
> The code signing feature verifies that firmware updates are properly
> signed. This will prevent the installation of invalid firmware updates.
>
> Note: A firmware update may be required to allow the RFU to be disabled
> or to implement code signing. Code signing is not available on all the
> affected devices. Please refer to the following table.
>
> Product
> Firmware Update Required to Allow Disabling RFU
> Firmware Update Required for Code Signing
>
> HP LaserJet Enterprise 500 color M551
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M601
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M602
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M603
> No update required
> No update required
>
> HP Color LaserJet CM1312 Multifunction Printer
> 20111209 or later
> Code signing not available
>
> HP LaserJet Pro CM1415 Color Multifunction Printer
> 20111215 or later
> No update required
>
> HP Color LaserJet CP1510
> 20111209 or later
> Code signing not available
>
> HP LaserJet M1522 Multifunction Printer
> 20111212 or later
> Code signing not available
>
> HP LaserJet Pro CP1525 Color Printer
> 20111215 or later
> No update required
>
> HP LaserJet Pro M1536 Multifunction Printer
> 20111215 or later
> No update required
>
> HP Color LaserJet CP2025
> 20111208 or later
> Code signing not available
>
> HP LaserJet P2035
> 20111213 or later
> Code signing not available
>
> HP LaserJet P2055
> 20111214 or later
> Code signing not available
>
> HP Color LaserJet CM2320 Multifunction Printer
> 20111209 or later
> Code signing not available
>
> HP LaserJet M2727 Multifunction Printer
> 20111212 or later
> Code signing not available
>
> HP Color LaserJet 3000
> No update required
> Code signing not available
>
> HP LaserJet P3005
> No update required
> Code signing not available
>
> HP LaserJet Enterprise P3015
> No update required
> 20011213 07.130.0B or later
>
> HP LaserJet M3027 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet M3035
> No update required
> 20111212 48.240.0B or later
>
> HP Color LaserJet CP3505
> No update required
> Code signing not available
>
> HP Color LaserJet CP3525
> No update required
> 20111212 06.130.0B or later
>
> HP Color LaserJet CM3530
> No update required
> 20111213 53.170.1B or later
>
> HP Color LaserJet 3800
> No update required
> Code signing not available
>
> HP Color LaserJet CP4005
> No update required
> Code signing not available
>
> HP LaserJet P4014
> No update required
> 20111214 04.160.2B or later
>
> HP LaserJet P4015
> No update required
> 20111214 04.160.2B or later
>
> HP LaserJet 4240
> No update required
> Code signing not available
>
> HP LaserJet 4250
> No update required
> Code signing not available
>
> HP LaserJet M4345 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet 4350
> No update required
> Code signing not available
>
> HP LaserJet P4515
> No update required
> 20111214 04.160.2B or later
>
> HP Color LaserJet Enterprise CP4525
> No update required
> 20111213 07.110.2B or later
>
> HP Color LaserJet Enterprise CM4540 Multifunction Printer
> No update required
> No update required
>
> HP LaserJet Enterprise M4555 Multifunction Printer
> No update required
> No update required
>
> HP Color LaserJet 4700
> No update required
> Code signing not available
>
> HP Color LaserJet 4730 Multifunction Printer
> No update required
> Code signing not available
>
> HP Color LaserJet CM4730 Multifunction Printer
> No update required
> 20111212 50.220.1B or later
>
> HP LaserJet M5025 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet M5035 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet 5200L
> No update required
> 20111214 08.180.1B or later
>
> HP LaserJet 5200N
> No update required
> 20111214 08.180.1B or later
>
> HP Color LaserJet Professional CP5225 Printer
> 20111206 or later
> Code signing not available
>
> HP Color LaserJet CP5525
> No update required
> No update required
>
> HP Color LaserJet 5550
> No update required
> Code signing not available
>
> HP Color LaserJet CP6015
> No update required
> 20111212 04.150.0B or later
>
> HP Color LaserJet CM6030
> No update required
> 20111212 52.190.1B or later
>
> HP Color LaserJet CM6040
> No update required
> 20111212 52.190.1B or later
>
> HP CM8060 Color Multifunction Printer with Edgeline
> No update required
> Code signing not available
>
> HP LaserJet 9040
> No update required
> 20111213 08.220.1B or later
>
> HP LaserJet M9040 Multifunction Printer
> No update required
> 20111212 51.190.1B or later
>
> HP LaserJet 9050
> No update required
> 20111213 08.220.1B or later
>
> HP LaserJet M9050 Multifunction Printer
> No update required
> 20111212 51.190.1B or later
>
> HP 9200c Digital Sender
> No update required
> Code signing not available
>
> HP 9250c Digital Sender
> No update required
> 20111219 48.230.0B or later
>
> HP Color LaserJet 9500
> No update required
> Code signing not available
>
> How to Disable the Remote Firmware Update (RFU)
>
> For instructions about how to disable the RFU please refer to the
> following document: Configuring Remote Firmware Update on HP Printers
> and Multifunction Devices
>
> The document is available using ftp:
>
> ftp.usa.hp.com
> account: sb02728
> password: Secure12
>
> or
>
> ftp://sb02728:Secure12@ftp.usa.hp.com/
>
> File name: Configuring Remote Firmware Update on HP Printing Devices.pdf
>
> How to Download a Firmware Update
>
> The table above contains links for required firmware updates. Firmware
> updates for any of the products can also be downloaded as follows.
>
> Browse to www.hp.com/go/support then:
>
> Select "Drivers & Software"
> Enter the product name listed in the table above into the search field
> Click on "Search"
> If the search returns a list of products click on the appropriate product
> Under "Select operating system" click on "Cross operating system (BIOS,
> Firmware, Diagnostics, etc.)"
> If the "Cross operating system ..." link is not present, select any
> Windows operating system from the list.
> Select the appropriate firmware update under "Firmware"
>
> HISTORY
> Version:1 (rev.1) - 30 November 2011 Initial release
> Version:2 (rev.2) - 23 December 2011 Code signing firmware available
> Version:3 (rev.3) - 9 January 2012 Combined tables
>
> Third Party Security Patches: Third party security patches that are to
> be installed on systems running HP software products should be applied
> in accordance with the customer's patch management policy.
>
> Support: For issues about implementing the recommendations of this
> Security Bulletin, contact normal HP Services support channel. For
> other issues about the content of this Security Bulletin, send e-mail to
> security-alert en hp.com <javascript:;>.
>
> Report: To report a potential security vulnerability with any HP
> supported product, send Email to: security-alert en hp.com <javascript:;>
>
> Subscribe: To initiate a subscription to receive future HP Security
> Bulletin alerts via Email:
> http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
>
> Security Bulletin List: A list of HP Security Bulletins, updated
> periodically, is contained in HP Security Notice HPSN-2011-001:
>
> https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
>
> Security Bulletin Archive: A list of recently released Security
> Bulletins is available here:
> http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
>
> Software Product Category: The Software Product Category is represented
> in the title by the two characters following HPSB.
>
> 3C = 3COM
> 3P = 3rd Party Software
> GN = HP General Software
> HF = HP Hardware and Firmware
> MP = MPE/iX
> MU = Multi-Platform Software
> NS = NonStop Servers
> OV = OpenVMS
> PI = Printing and Imaging
> PV = ProCurve
> ST = Storage Software
> TU = Tru64 UNIX
> UX = HP-UX
>
> Copyright 2012 Hewlett-Packard Development Company, L.P.
> Hewlett-Packard Company shall not be liable for technical or editorial
> errors or omissions contained herein. The information provided is
> provided "as is" without warranty of any kind. To the extent permitted
> by law, neither HP or its affiliates, subcontractors or suppliers will
> be liable for incidental,special or consequential damages including
> downtime cost; lost profits;damages relating to the procurement of
> substitute products or services; or damages for loss of data, or
> software restoration. The information in this document is subject to
> change without notice. Hewlett-Packard Company and the names of
> Hewlett-Packard products referenced herein are trademarks of
> Hewlett-Packard Company in the United States and other countries. Other
> product and company names mentioned herein may be trademarks of their
> respective owners.
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net <javascript:;>
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20120110/3cc7c498/attachment.html>
Más información sobre la lista de distribución Seguridad