[LACNIC/Seguridad] Conectividad e2e (Fwd: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders...)
Carlos M. Martinez
carlosm3011 en gmail.com
Mar Ene 10 11:55:10 BRST 2012
El flamewar empieza (para mi) con estos items:
- los defensores del NAT tratando de forzarnoslo por la garganta a los
que NO lo queremos
- la aparicion del CGN como "mira que bueno, yo ISP ahora te voy a
garantizar tu seguridad porque estas detras de un NAT"
- el aceptar como mandato divino el hecho de que uno solo tiene derecho
a tener una IP publica como gran cosa (si no estoy detras del CGN,
claro), cuando en realidad el hecho de que solo pueda tener una IP
publica v4 en mi casa es producto de la falta de vision de los ISPs y no
por una limitacion tecnica o porque el NAT de mi casa me haga mas seguro
(ha!)
Y aclaro mi posicion:
- Al igual que Christian, el NAT esta bien para mi, siempre que yo como
usuario *mantenga el control del mismo*, y *pueda optar por usarlo*,
como una herramienta mas. NO como una cosa forzada tal como es hoy.
- El e2e como todo puede ser deseable a veces, y a veces no. Tiene que
ser una opcion de la aplicacion o del site.
- Direcciones publicas NO implican e2e (otro error concepual muy comun)
- Direcciones publicas NO implican no usar firewall (error conceptual
#2, el cual lleva a debates que se parecen mucho a los pro life / pro
choice )
s2
C.
On 1/10/12 11:18 AM, Fernando Gont wrote:
> Estimados,
>
> Mas que probable que hayan leido estos advisories sobre impresoras HP
> (ver debajo), los cual nos vuelve a llevar a nuestra interminable
> discusión/flame-war :-) sobre conectividad e2e, etc.
>
> Este es un simple ejemplo en en cual un filtro estilo "solo se admiten
> conexiones salientes" podria prevenir que las impresoras sean own'eadas.
>
> En un mundo "internet of things", probablemente también podría evitar
> que en muchos casos se puedan realizar ataques similares contra "la
> heladera" ("viejo, se nos pudrieron las naranjas porque nos hackearon la
> heladera" sort of thing :-) ), y dispositivos varios, etc.
>
> A falta de termino para describir la (IMO, correcta) motivación de
> quienes despliegan dispositivos que rompen la mencionada conectividad
> extremo a extremo por motivos de seguridad, me atrevo a coin'ear el
> "Primer principio de Johansson": "I don't like that kind of connection:
> it's too connected" [1]
>
> [1] http://youtu.be/fgdujfwSjXw
>
> P.S.: Para evitar que se hagan interpretaciones incorrectas: Lo de
> arriba no tiene nada que ver con CGN. Si te quisieron vender un CGN con
> el argumento de seguridad, haz un bien a la comunidad, y denuncialos. :-)
>
> Saludos,
> Fernando
>
>
>
>
> -------- Original Message --------
> Subject: [security bulletin] HPSBPI02728 SSRT100692 rev.3 - Certain HP
> Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
> Date: Mon, 9 Jan 2012 09:09:45 -0500 (EST)
> From: security-alert en hp.com
> To: bugtraq en securityfocus.com
>
> SUPPORT COMMUNICATION - SECURITY BULLETIN
>
> Document ID: c03102449
> Version: 3
>
> HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital
> Senders, Remote Firmware Update Enabled by Default
>
> NOTICE: The information in this Security Bulletin should be acted upon
> as soon as possible.
>
> Release Date: 2011-11-30
> Last Updated: 2012-01-09
>
> Potential Security Impact: Remote firmware update enabled by default
>
> Source: Hewlett-Packard Company, HP Software Security Response Team
>
> VULNERABILITY SUMMARY
> A potential security vulnerability has been identified with certain HP
> printers and HP digital senders. The vulnerability could be exploited
> remotely to install unauthorized printer firmware.
>
> References: CVE-2011-4161
>
> SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
> Please refer to the RESOLUTION
> below for a list of impacted products.
>
> BACKGROUND
>
> CVSS 2.0 Base Metrics
> ===========================================================
> Reference Base Vector Base Score
> CVE-2011-4161 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
> ===========================================================
> Information on CVSS is documented
> in HP Customer Notice: HPSN-2008-002
>
> Note: For further information on Secure Printing and Imaging please
> refer to http://www.hp.com/go/secureprinting
>
> Remote Firmware Update (RFU): The Remote Firmware Update (RFU) feature
> is enabled by default. A firmware update can be sent remotely to port
> 9100 without authentication. This could allow unauthorized modification
> of the device firmware. The unauthorized firmware could impact the
> confidentiality and integrity of data sent to and received from the
> device. The unauthorized firmware could also cause a Denial of Service
> (DoS) to the device.
>
> RESOLUTION
> The following steps can be taken to avoid unauthorized firmware updates:
>
> Update the firmware to a version that implements code signing
> Disable the Remote Firmware Update
>
> The code signing feature verifies that firmware updates are properly
> signed. This will prevent the installation of invalid firmware updates.
>
> Note: A firmware update may be required to allow the RFU to be disabled
> or to implement code signing. Code signing is not available on all the
> affected devices. Please refer to the following table.
>
> Product
> Firmware Update Required to Allow Disabling RFU
> Firmware Update Required for Code Signing
>
> HP LaserJet Enterprise 500 color M551
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M601
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M602
> No update required
> No update required
>
> HP LaserJet Enterprise 600 M603
> No update required
> No update required
>
> HP Color LaserJet CM1312 Multifunction Printer
> 20111209 or later
> Code signing not available
>
> HP LaserJet Pro CM1415 Color Multifunction Printer
> 20111215 or later
> No update required
>
> HP Color LaserJet CP1510
> 20111209 or later
> Code signing not available
>
> HP LaserJet M1522 Multifunction Printer
> 20111212 or later
> Code signing not available
>
> HP LaserJet Pro CP1525 Color Printer
> 20111215 or later
> No update required
>
> HP LaserJet Pro M1536 Multifunction Printer
> 20111215 or later
> No update required
>
> HP Color LaserJet CP2025
> 20111208 or later
> Code signing not available
>
> HP LaserJet P2035
> 20111213 or later
> Code signing not available
>
> HP LaserJet P2055
> 20111214 or later
> Code signing not available
>
> HP Color LaserJet CM2320 Multifunction Printer
> 20111209 or later
> Code signing not available
>
> HP LaserJet M2727 Multifunction Printer
> 20111212 or later
> Code signing not available
>
> HP Color LaserJet 3000
> No update required
> Code signing not available
>
> HP LaserJet P3005
> No update required
> Code signing not available
>
> HP LaserJet Enterprise P3015
> No update required
> 20011213 07.130.0B or later
>
> HP LaserJet M3027 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet M3035
> No update required
> 20111212 48.240.0B or later
>
> HP Color LaserJet CP3505
> No update required
> Code signing not available
>
> HP Color LaserJet CP3525
> No update required
> 20111212 06.130.0B or later
>
> HP Color LaserJet CM3530
> No update required
> 20111213 53.170.1B or later
>
> HP Color LaserJet 3800
> No update required
> Code signing not available
>
> HP Color LaserJet CP4005
> No update required
> Code signing not available
>
> HP LaserJet P4014
> No update required
> 20111214 04.160.2B or later
>
> HP LaserJet P4015
> No update required
> 20111214 04.160.2B or later
>
> HP LaserJet 4240
> No update required
> Code signing not available
>
> HP LaserJet 4250
> No update required
> Code signing not available
>
> HP LaserJet M4345 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet 4350
> No update required
> Code signing not available
>
> HP LaserJet P4515
> No update required
> 20111214 04.160.2B or later
>
> HP Color LaserJet Enterprise CP4525
> No update required
> 20111213 07.110.2B or later
>
> HP Color LaserJet Enterprise CM4540 Multifunction Printer
> No update required
> No update required
>
> HP LaserJet Enterprise M4555 Multifunction Printer
> No update required
> No update required
>
> HP Color LaserJet 4700
> No update required
> Code signing not available
>
> HP Color LaserJet 4730 Multifunction Printer
> No update required
> Code signing not available
>
> HP Color LaserJet CM4730 Multifunction Printer
> No update required
> 20111212 50.220.1B or later
>
> HP LaserJet M5025 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet M5035 Multifunction Printer
> No update required
> 20111212 48.240.0B or later
>
> HP LaserJet 5200L
> No update required
> 20111214 08.180.1B or later
>
> HP LaserJet 5200N
> No update required
> 20111214 08.180.1B or later
>
> HP Color LaserJet Professional CP5225 Printer
> 20111206 or later
> Code signing not available
>
> HP Color LaserJet CP5525
> No update required
> No update required
>
> HP Color LaserJet 5550
> No update required
> Code signing not available
>
> HP Color LaserJet CP6015
> No update required
> 20111212 04.150.0B or later
>
> HP Color LaserJet CM6030
> No update required
> 20111212 52.190.1B or later
>
> HP Color LaserJet CM6040
> No update required
> 20111212 52.190.1B or later
>
> HP CM8060 Color Multifunction Printer with Edgeline
> No update required
> Code signing not available
>
> HP LaserJet 9040
> No update required
> 20111213 08.220.1B or later
>
> HP LaserJet M9040 Multifunction Printer
> No update required
> 20111212 51.190.1B or later
>
> HP LaserJet 9050
> No update required
> 20111213 08.220.1B or later
>
> HP LaserJet M9050 Multifunction Printer
> No update required
> 20111212 51.190.1B or later
>
> HP 9200c Digital Sender
> No update required
> Code signing not available
>
> HP 9250c Digital Sender
> No update required
> 20111219 48.230.0B or later
>
> HP Color LaserJet 9500
> No update required
> Code signing not available
>
> How to Disable the Remote Firmware Update (RFU)
>
> For instructions about how to disable the RFU please refer to the
> following document: Configuring Remote Firmware Update on HP Printers
> and Multifunction Devices
>
> The document is available using ftp:
>
> ftp.usa.hp.com
> account: sb02728
> password: Secure12
>
> or
>
> ftp://sb02728:Secure12@ftp.usa.hp.com/
>
> File name: Configuring Remote Firmware Update on HP Printing Devices.pdf
>
> How to Download a Firmware Update
>
> The table above contains links for required firmware updates. Firmware
> updates for any of the products can also be downloaded as follows.
>
> Browse to www.hp.com/go/support then:
>
> Select "Drivers & Software"
> Enter the product name listed in the table above into the search field
> Click on "Search"
> If the search returns a list of products click on the appropriate product
> Under "Select operating system" click on "Cross operating system (BIOS,
> Firmware, Diagnostics, etc.)"
> If the "Cross operating system ..." link is not present, select any
> Windows operating system from the list.
> Select the appropriate firmware update under "Firmware"
>
> HISTORY
> Version:1 (rev.1) - 30 November 2011 Initial release
> Version:2 (rev.2) - 23 December 2011 Code signing firmware available
> Version:3 (rev.3) - 9 January 2012 Combined tables
>
> Third Party Security Patches: Third party security patches that are to
> be installed on systems running HP software products should be applied
> in accordance with the customer's patch management policy.
>
> Support: For issues about implementing the recommendations of this
> Security Bulletin, contact normal HP Services support channel. For
> other issues about the content of this Security Bulletin, send e-mail to
> security-alert en hp.com.
>
> Report: To report a potential security vulnerability with any HP
> supported product, send Email to: security-alert en hp.com
>
> Subscribe: To initiate a subscription to receive future HP Security
> Bulletin alerts via Email:
> http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
>
> Security Bulletin List: A list of HP Security Bulletins, updated
> periodically, is contained in HP Security Notice HPSN-2011-001:
> https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
>
> Security Bulletin Archive: A list of recently released Security
> Bulletins is available here:
> http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
>
> Software Product Category: The Software Product Category is represented
> in the title by the two characters following HPSB.
>
> 3C = 3COM
> 3P = 3rd Party Software
> GN = HP General Software
> HF = HP Hardware and Firmware
> MP = MPE/iX
> MU = Multi-Platform Software
> NS = NonStop Servers
> OV = OpenVMS
> PI = Printing and Imaging
> PV = ProCurve
> ST = Storage Software
> TU = Tru64 UNIX
> UX = HP-UX
>
> Copyright 2012 Hewlett-Packard Development Company, L.P.
> Hewlett-Packard Company shall not be liable for technical or editorial
> errors or omissions contained herein. The information provided is
> provided "as is" without warranty of any kind. To the extent permitted
> by law, neither HP or its affiliates, subcontractors or suppliers will
> be liable for incidental,special or consequential damages including
> downtime cost; lost profits;damages relating to the procurement of
> substitute products or services; or damages for loss of data, or
> software restoration. The information in this document is subject to
> change without notice. Hewlett-Packard Company and the names of
> Hewlett-Packard products referenced herein are trademarks of
> Hewlett-Packard Company in the United States and other countries. Other
> product and company names mentioned herein may be trademarks of their
> respective owners.
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
--
--
Carlos M. Martinez
LACNIC R+D
http://www.labs.lacnic.net
Más información sobre la lista de distribución Seguridad