[NEWS] Canon MFD FTP Bounce Attack

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Canon MFD FTP Bounce Attack
------------------------------------------------------------------------


SUMMARY

Certain Canon Multi Function Devices (see Products affected below) allow
remote attackers to redirect traffic to other sites (aka FTP bounce) via
the PORT command, a variant of CVE-1999-0017.

DETAILS

Vulnerable Systems:
* imageRUNNER 2230/2830/3530
* imageRUNNER 3025/3030/3035/3045
* imageRUNNER 2270/2870/3570/4570
* imageRUNNER 5070/5570/6570
* imageRUNNER 5050/5055/5065/5075
* imageRUNNER 8070/85+/9070/105+
* imageRUNNER 7086/7095/7105
* Color imageRUNNER C3220/2620
* Color imageRUNNER C2880/3380
* Color imageRUNNER C2550
* Color imageRUNNER C4080/4580/5180/5185
* Color imageRUNNER LBP5960
* Color imageRUNNER LBP5360
* imageRUNNER C3170
* imageRUNNER C5800/6800
* imageRUNNER C5870U/6870U
* imageRUNNER C5058/5068
* imageRUNNER LBP3460
* imagePRESS C7000VP
* imagePRESS C1

Mitigation/workarounds:
* Disable FTP printing:
o Navigate to Additional Functions -> System Settings -> Network
Settings -> TCP/IP Settings -> FTP print.
o Set FTP print to OFF.

* Protect FTP printing with username/password credentials:
o Navigate to Additional Functions -> System Settings -> Network
Settings -> TCP/IP Settings -> FTP print.
o Set "user name" and "password" for the FTP print functionality.

Firmware updates that fix the vulnerability are available, but are not
user installable. They require a service technician call. If one of the
above two workarounds are not sufficient, please contact your local Canon
Authorized Service Dealer.

Additionally, best practices suggest that access controls and network
firewall policies be put into place to only allow connections from trusted
machines and networks.

Vendor response:
The vendor has published an advisory, available here:
<http://www.canon-europe.com/For_work/Canon_Europe_CBS_Web_Advisory_Digital_Multifunction_Printers.asp> Digital multifunction printer vulnerability.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0303>
CVE-2008-0303


ADDITIONAL INFORMATION

The information has been provided by <mailto:natejohn@xxxxxx> Nate
Johnson.
The original article can be found at:
<https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack>
https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.