Vulnerabilities / Threats
1/28/2013
05:42 PM
50%
50%

HP Disputes Printer Security Vulnerabilities

Weaknesses in printer networking software could be used to bypass authentication, deny service and retrieve documents from any user, Spanish researcher says.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
HP is disputing the feasibility of several vulnerabilities in its JetDirect print server software that recently were highlighted by a researcher.

Information security researcher Sebastian Guerrero said that by using HP printer language command tags, he'd been able to retrieve other people's print jobs or assign them to a different user -- thus bypassing fingerprint or smart card checks built into a printer -- as well as crash a printer by using printer-command tags containing unexpected content.

"Based on what was disclosed it appears that the device was intentionally sent a corrupting job -- basically to try and disable the printer," said Keith Moore, chief technologist at HP LaserJet Solutions group, speaking by phone about one of the disclosed vulnerabilities. "If you're intentionally sending corrupt print jobs, yes the printer has a hard time knowing what to do with that, but that's where rebooting [comes in]," said Moore.

[ HP is not the only vendor whose printers carry certain security risks. Read Samsung Printers Have Hidden Security Risk. ]

"The other claims don't seem to be supported, and if you properly configure the device --as we recommend -- [they] technically can't be done," said Moore.

"HP takes our customers' security very seriously," said a spokeswoman in a follow-up email. "Our team has investigated the security allegations ... and determined that the claims that someone can bypass built-in biometric defenses and recover previously printed documents are false."

The crucial point in HP's rebuttal of parts of Guerrero's research, however, hangs on printers being properly configured, and to put that into practice, Moore pointed to "HP Imaging and Printing Security Best Practices," a document HP developed for distribution by the National Institute of Standards and Technologies (NIST). One of the document's chief recommendations is that printer administrators use the free HP Web Jetadmin, which is billed as "the recommended management tool for all HP network printing and digital sending products," and which can control all of the settings that HP recommends be set to maximize security.

Those configurations boil down to one recommendation: "It's essentially setting passwords on devices, or in businesses or enterprises especially, we'd encourage people to use something like HP Access Control, where the document won't even come out until you're standing at the device," said Moore, referring to HP Access Control (HPAC) Printing Solutions, which is designed to secure sensitive and confidential information in printing environments.

Late last week, Moore said HP was still trying to contact Guerrero to ensure that it's obtained a full disclosure of all vulnerabilities. But Guerrero, who's a researcher at viaForensics, reported via email that he'd already been in touch. "I can assure you that I have been in contact with them and furthermore, they were aware of these vulnerabilities before my article was published," he said.

In fact, in his research Guerrero already had noted that some of his exploits were feasible only when the printer didn't have a password enabled. Discussing viewing someone else's print jobs, for example, "I think this one has been misunderstood," he said. "As I said before, the printer has a log, where the jobs sent are stored, and some printers include the possibility to preview these jobs. If the printer doesn't use a password you can get access to the log and see the document."

But not all of the vulnerabilities he identified revolve around passwords. For example, to assign a document to a different user, "you can set some PCL/PJL tags in order to assign a job to a user, independent of whether the printer did -- or did not -- set a password," he said. "If you send the job to its queue, the job will be registered on the log with the information stored in its tags."

Guerrero emphasized that there's no coding flaw here. "It's just a leak of security on the printer, this is not HP's bug," he said. "Furthermore, this vulnerability affects printers from more manufacturers, for example, Ricoh. I can assure you that."

Another security concern is that any printers inside the network -- from HP or otherwise -- would be vulnerable to remote attacks that retrieve documents that have been printed using the device, or install custom malicious malware, especially if the printers didn't have passwords enabled or aren't running security software such as HPAC. HP's Moore, however, dismissed the threat of remote exploits of machines running JetDirect. "Typically, a firewall blocks [external attacks], so remote attacks are unlikely," he said.

But Michael Sutton, VP of security research for Web security firm Zscaler Labs, has published research showing that embedded Web servers in devices -- such as printers and photocopiers -- are often Internet-connected and unsecured with either passwords or firewalls. That would make the devices of interest for corporate espionage purposes.

Similarly, blogger Adam Howard at Port3000 posted a Google search Friday that turns up thousands of Internet-connected printers. "A quick, well crafted Google search returns 'about 86,800 results' for publically accessible HP printers," said Howard. "There's something interesting about being able to print to a random location around the world, with no idea of the consequence. Lock down your printer :) PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network."

Likewise, a Google search for LCDispatcher ("inurl:hp/device/this.LCDispatcher") shared by the Google Dorks website -- amongst other locations -- returned 968,000 hits. LCDispatcher is a component in Internet-connected print servers running JetDirect, meaning the hits are apparently all printers that have their configuration pages available via the Internet.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/3/2013 | 5:25:07 PM
re: HP Disputes Printer Security Vulnerabilities
So what exactly is HP stating, that if you launch a no holds barred attack then only is printer vulnerable? If Sebastian Guerrero has documented evidence, then what is in dispute here? It makes HP look even worse, then admitting and addressing the vulnerability. I agree that it is standard practice to change the default password, but HP has to take that into consideration that non-technical people will be using their printers and should have some step-by-step walk through for automatically changing your password before it goes live on your network.

Paul Sprague
InformationWeek Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
1/30/2013 | 4:08:06 PM
re: HP Disputes Printer Security Vulnerabilities
I am quite certain that the majority of individuals and SMB's that use network capable printers are unaware of how they can be exploited. This is an awareness issue.

Almost all "network capable" printers these days have the ability to be managed remotely using their embedded web server. While that makes it convenient to manage the printer by not having to physically use the printer's controls, it opens up Pandora's box in how a given printer can be exploited.

I would bet the farm that most individuals and SMB's buy a printer, stick it on their network, and never change the default password - which is well known. HP (in particular) is dreaming if they think most customers will take the time to download and use their management tools to secure the printer. This is/has not been top of mind for most companies.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.