[NEWS] New HP Jetdirect SNMP Password Vulnerability when Using Web JetAdmin
From: support@securiteam.com
Date: 03/07/03
- Previous message: support@securiteam.com: "[EXPL] Buffer Overflow Vulnerability Found in file (Exploit Code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 7 Mar 2003 13:11:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
New HP Jetdirect SNMP Password Vulnerability when Using Web JetAdmin
------------------------------------------------------------------------
SUMMARY
A vulnerability in HP Jetdirect's SNMP support allows an attacker to
retreive the password used by the administrator to protect the
configuration of the printer. The vulnerability requires only the
knowledge of the SNMP community name (by default it is set to 'public').
DETAILS
Vulnerable systems:
* HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus
(J2591A), JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A,
J3113A) and older (Where the Jetdirect card is being managed from HP Web
Jetadmin)
How to check your printers for this vulnerability:
Use an SNMP toolkit to read the following OID from your printer:
iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
An example on a Windows machine, using SNMPUTIL from the Windows Resource
kit:
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
Value = String
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
x3b><0x00><0x00><0x00><0x00> ..etc...
The resulting string reads in ASCII: ABCDEF=108;
The Web Jetadmin device password is the word before the '=' sign, in this
case: ABCDEF
How to protect your printer:
1. Keep the Web Jetadmin device password EMPTY (don't do this on newer
cards than the ones mentioned above)
2. Define a 'Set community name' instead
Additional means of protection (does not address the SNMP vulnerability):
3. Define a telnet password (do not keep it empty)
4. Create an 'allow list' from the Telnet console to restrict access from
defined IP-addresses
ADDITIONAL INFORMATION
The information has been provided by <mailto:helpdesk@tm.tue.nl> Sven
Pechler.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] Buffer Overflow Vulnerability Found in file (Exploit Code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
