Vulnerabilities / Threats
1/28/2013
05:42 PM
Connect Directly
RSS
E-Mail
50%
50%

HP Disputes Printer Security Vulnerabilities

Weaknesses in printer networking software could be used to bypass authentication, deny service and retrieve documents from any user, Spanish researcher says.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
HP is disputing the feasibility of several vulnerabilities in its JetDirect print server software that recently were highlighted by a researcher.

Information security researcher Sebastian Guerrero said that by using HP printer language command tags, he'd been able to retrieve other people's print jobs or assign them to a different user -- thus bypassing fingerprint or smart card checks built into a printer -- as well as crash a printer by using printer-command tags containing unexpected content.

"Based on what was disclosed it appears that the device was intentionally sent a corrupting job -- basically to try and disable the printer," said Keith Moore, chief technologist at HP LaserJet Solutions group, speaking by phone about one of the disclosed vulnerabilities. "If you're intentionally sending corrupt print jobs, yes the printer has a hard time knowing what to do with that, but that's where rebooting [comes in]," said Moore.

[ HP is not the only vendor whose printers carry certain security risks. Read Samsung Printers Have Hidden Security Risk. ]

"The other claims don't seem to be supported, and if you properly configure the device --as we recommend -- [they] technically can't be done," said Moore.

"HP takes our customers' security very seriously," said a spokeswoman in a follow-up email. "Our team has investigated the security allegations ... and determined that the claims that someone can bypass built-in biometric defenses and recover previously printed documents are false."

The crucial point in HP's rebuttal of parts of Guerrero's research, however, hangs on printers being properly configured, and to put that into practice, Moore pointed to "HP Imaging and Printing Security Best Practices," a document HP developed for distribution by the National Institute of Standards and Technologies (NIST). One of the document's chief recommendations is that printer administrators use the free HP Web Jetadmin, which is billed as "the recommended management tool for all HP network printing and digital sending products," and which can control all of the settings that HP recommends be set to maximize security.

Those configurations boil down to one recommendation: "It's essentially setting passwords on devices, or in businesses or enterprises especially, we'd encourage people to use something like HP Access Control, where the document won't even come out until you're standing at the device," said Moore, referring to HP Access Control (HPAC) Printing Solutions, which is designed to secure sensitive and confidential information in printing environments.

Late last week, Moore said HP was still trying to contact Guerrero to ensure that it's obtained a full disclosure of all vulnerabilities. But Guerrero, who's a researcher at viaForensics, reported via email that he'd already been in touch. "I can assure you that I have been in contact with them and furthermore, they were aware of these vulnerabilities before my article was published," he said.

In fact, in his research Guerrero already had noted that some of his exploits were feasible only when the printer didn't have a password enabled. Discussing viewing someone else's print jobs, for example, "I think this one has been misunderstood," he said. "As I said before, the printer has a log, where the jobs sent are stored, and some printers include the possibility to preview these jobs. If the printer doesn't use a password you can get access to the log and see the document."

But not all of the vulnerabilities he identified revolve around passwords. For example, to assign a document to a different user, "you can set some PCL/PJL tags in order to assign a job to a user, independent of whether the printer did -- or did not -- set a password," he said. "If you send the job to its queue, the job will be registered on the log with the information stored in its tags."

Guerrero emphasized that there's no coding flaw here. "It's just a leak of security on the printer, this is not HP's bug," he said. "Furthermore, this vulnerability affects printers from more manufacturers, for example, Ricoh. I can assure you that."

Another security concern is that any printers inside the network -- from HP or otherwise -- would be vulnerable to remote attacks that retrieve documents that have been printed using the device, or install custom malicious malware, especially if the printers didn't have passwords enabled or aren't running security software such as HPAC. HP's Moore, however, dismissed the threat of remote exploits of machines running JetDirect. "Typically, a firewall blocks [external attacks], so remote attacks are unlikely," he said.

But Michael Sutton, VP of security research for Web security firm Zscaler Labs, has published research showing that embedded Web servers in devices -- such as printers and photocopiers -- are often Internet-connected and unsecured with either passwords or firewalls. That would make the devices of interest for corporate espionage purposes.

Similarly, blogger Adam Howard at Port3000 posted a Google search Friday that turns up thousands of Internet-connected printers. "A quick, well crafted Google search returns 'about 86,800 results' for publically accessible HP printers," said Howard. "There's something interesting about being able to print to a random location around the world, with no idea of the consequence. Lock down your printer :) PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network."

Likewise, a Google search for LCDispatcher ("inurl:hp/device/this.LCDispatcher") shared by the Google Dorks website -- amongst other locations -- returned 968,000 hits. LCDispatcher is a component in Internet-connected print servers running JetDirect, meaning the hits are apparently all printers that have their configuration pages available via the Internet.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/3/2013 | 5:25:07 PM
re: HP Disputes Printer Security Vulnerabilities
So what exactly is HP stating, that if you launch a no holds barred attack then only is printer vulnerable? If Sebastian Guerrero has documented evidence, then what is in dispute here? It makes HP look even worse, then admitting and addressing the vulnerability. I agree that it is standard practice to change the default password, but HP has to take that into consideration that non-technical people will be using their printers and should have some step-by-step walk through for automatically changing your password before it goes live on your network.

Paul Sprague
InformationWeek Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
1/30/2013 | 4:08:06 PM
re: HP Disputes Printer Security Vulnerabilities
I am quite certain that the majority of individuals and SMB's that use network capable printers are unaware of how they can be exploited. This is an awareness issue.

Almost all "network capable" printers these days have the ability to be managed remotely using their embedded web server. While that makes it convenient to manage the printer by not having to physically use the printer's controls, it opens up Pandora's box in how a given printer can be exploited.

I would bet the farm that most individuals and SMB's buy a printer, stick it on their network, and never change the default password - which is well known. HP (in particular) is dreaming if they think most customers will take the time to download and use their management tools to secure the printer. This is/has not been top of mind for most companies.
Register for Dark Reading Newsletters
Partner Perspectives
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.