User: Password:
|
|
Subscribe / Log in / New account

Security

Printer vulnerabilities via firmware update

By Jake Edge
November 30, 2011

Regular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well.

The flaw is a simple one, evidently. Print jobs sent to the printers are scanned to see if they contain a firmware update, if so, the update is installed. Crucially, the update is not checked for any kind of digital signature, nor is user input requested before performing the update. In the msnbc report, HP's Keith Moore, chief technologist for the printer division, said that printers since 2009 have required signed updates, but the Columbia researchers "say they purchased one of the printers they hacked in September at a major New York City office supply store". Regardless, there are certainly millions of pre-2009 HP laser printers in service that are presumably vulnerable.

The researchers were able to rewrite the firmware so that it "would continuously heat up the printer's fuser — which is designed to dry the ink once it's applied to paper — eventually causing the paper to turn brown and smoke". Before the paper could catch fire, though, a "thermal breaker" shut down the printer—seemingly permanently. In a press release, HP said that the breaker is designed to thwart just that kind of problem. The company also said that the breaker "cannot be overcome by a firmware change or this proposed vulnerability". That's certainly a nice safety feature, but disabled printers definitely make for a painful denial-of-service attack.

There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:

In one demonstration, [Ang] Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker's machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them.

It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities.

It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers.

HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy.

It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device.

It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.

Comments (21 posted)

Brief items

Security quotes of the week

Like the FTC on Facebook and follow us on Twitter.
-- The evidently irony-impaired US Federal Trade Commission (FTC) announces a privacy settlement with Facebook

Will there also be "If You See Something, Say Something™" Day, with Janet Napolitano bobbleheads given to all the kids?

This kind of thing only serves to ratchet up fear, and doesn't make us any safer.

-- Bruce Schneier comments on Major League Soccer's partnership with the US Department of Homeland Security

I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives -- smart phone banking, electronic wallets -- they're simply going to become the most valuable device for criminals to go after. And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store.
-- Schneier again

[Michael] Osterholm says he can't discuss details of the papers because he's an NSABB [US National Science Advisory Board for Biosecurity] member. But he says it should be possible to omit certain key details from controversial papers and make them available to people who really need to know. "We don't want to give bad guys a road map on how to make bad bugs really bad," he says.
-- ScienceInsider reports on disclosure policy questions in the world of virology (by way of Schneier).

Comments (7 posted)

New vulnerabilities

apt: repository credential disclosure

Package(s):apt CVE #(s):CVE-2011-3634
Created:November 28, 2011 Updated:November 30, 2011
Description: From the Ubuntu advisory:

It was discovered that APT incorrectly handled the Verify-Host configuration option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to steal repository credentials. This issue only affected Ubuntu 10.04 LTS and 10.10.

Alerts:
Ubuntu USN-1283-1 apt 2011-11-28

Comments (none posted)

glibc: multiple vulnerabilities

Package(s):glibc CVE #(s):CVE-2011-1089 CVE-2011-1659
Created:November 28, 2011 Updated:December 7, 2011
Description: From the Mandriva advisory:

The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089).

Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659).

Alerts:
Gentoo 201312-01 glibc 2013-12-02
Mandriva MDVSA-2013:048 ncpfs 2013-04-05
Ubuntu USN-1396-1 eglibc, glibc 2012-03-09
Scientific Linux SL-glib-20120214 glibc 2012-02-14
Scientific Linux SL-glib-20120214 glibc 2012-02-14
Oracle ELSA-2012-0126 glibc 2012-02-14
Oracle ELSA-2012-0125 glibc 2012-02-14
CentOS CESA-2012:0126 glibc 2012-02-14
CentOS CESA-2012:0125 glibc 2012-02-14
Red Hat RHSA-2012:0125-01 glibc 2012-02-13
Red Hat RHSA-2012:0126-01 glibc 2012-02-13
Scientific Linux SL-glib-20111206 glibc 2011-12-06
Red Hat RHSA-2011:1526-03 glibc 2011-12-06
Mandriva MDVSA-2011:179 glibc 2011-11-25
Mandriva MDVSA-2011:178 glibc 2011-11-25

Comments (none posted)

hardlink: multiple vulnerabilities

Package(s):hardlink CVE #(s):CVE-2011-3630 CVE-2011-3631 CVE-2011-3632
Created:November 24, 2011 Updated:August 20, 2012
Description:

From the Fedora advisory:

CVE-2011-3630 hardlink: Multiple stack-based buffer overflows when run on a tree with deeply nested directories

CVE-2011-3631 hardlink: Multiple integer overflows, when adding string lengths

CVE-2011-3632 hardlink: Prone to symlink attacks

Alerts:
Mageia MGASA-2012-0221 hardlink 2012-08-18
Fedora FEDORA-2011-14753 hardlink 2011-10-22
Fedora FEDORA-2011-14727 hardlink 2011-10-22

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-4110
Created:November 25, 2011 Updated:December 27, 2011
Description: From the Red Hat bugzilla:

A flaw was found in the way Linux kernel handled user-defined key types. An unprivileged local user could use this flaw to crash the system.

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
SUSE SUSE-SU-2012:1391-1 Linux kernel 2012-10-24
SUSE SUSE-SU-2012:0364-1 Real Time Linux Kernel 2012-03-14
Oracle ELSA-2012-0150 kernel 2012-03-07
Red Hat RHSA-2012:0333-01 kernel-rt 2012-02-23
Red Hat RHSA-2012:0116-01 kernel 2012-02-15
SUSE SUSE-SU-2012:0153-2 Linux kernel 2012-02-06
SUSE SUSE-SU-2012:0153-1 kernel 2012-02-06
Ubuntu USN-1344-1 linux 2012-01-24
Ubuntu USN-1345-1 linux 2012-01-24
Ubuntu USN-1341-1 linux 2012-01-23
Ubuntu USN-1340-1 linux-lts-backport-oneiric 2012-01-23
Ubuntu USN-1337-1 linux-lts-backport-natty 2012-01-23
Debian DSA-2389-1 linux-2.6 2012-01-15
Ubuntu USN-1332-1 linux-lts-backport-maverick 2012-01-13
Ubuntu USN-1330-1 linux-ti-omap4 2012-01-13
Ubuntu USN-1328-1 linux-mvl-dove 2012-01-13
Ubuntu USN-1323-1 linux 2012-01-11
Ubuntu USN-1325-1 linux-ti-omap4 2012-01-11
Ubuntu USN-1324-1 linux-ec2 2012-01-11
Red Hat RHSA-2012:0010-01 kernel-rt 2012-01-10
Ubuntu USN-1322-1 linux 2012-01-09
Ubuntu USN-1319-1 linux-ti-omap4 2012-01-05
Ubuntu USN-1318-1 linux-fsl-imx51 2012-01-05
Oracle ELSA-2011-2037 enterprise kernel 2011-12-15
Scientific Linux SL-Kern-20111206 kernel 2011-12-06
Fedora FEDORA-2011-16621 kernel 2011-11-30
Red Hat RHSA-2011:1530-03 kernel 2011-12-06
Scientific Linux SL-kern-20111129 kernel 2011-11-29
CentOS CESA-2011:1479 kernel 2011-11-30
Oracle ELSA-2011-1479 kernel 2011-11-30
Red Hat RHSA-2011:1479-01 kernel 2011-11-29
Fedora FEDORA-2011-16346 kernel 2011-11-23
Fedora FEDORA-2011-16237 kernel 2011-11-23

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-4326 CVE-2011-3593 CVE-2011-3359
Created:November 28, 2011 Updated:November 30, 2011
Description: From the Oracle advisory:

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important)

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate)

allocate receive buffers big enough for max frame len + offset (Maxim Uvarov) {CVE-2011-3359}

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
SUSE SUSE-SU-2012:0364-1 Real Time Linux Kernel 2012-03-14
Ubuntu USN-1323-1 linux 2012-01-11
Ubuntu USN-1325-1 linux-ti-omap4 2012-01-11
Red Hat RHSA-2012:0010-01 kernel-rt 2012-01-10
Ubuntu USN-1311-1 linux 2011-12-19
SUSE SUSE-SU-2011:1319-2 Linux kernel 2011-12-14
SUSE SUSE-SU-2011:1319-1 Linux kernel 2011-12-13
Ubuntu USN-1304-1 linux-ti-omap4 2011-12-13
Ubuntu USN-1303-1 linux-mvl-dove 2011-12-13
Ubuntu USN-1302-1 linux-ti-omap4 2011-12-13
Ubuntu USN-1299-1 linux-ec2 2011-12-13
SUSE SUSE-SA:2011:046 kernel 2011-12-13
Ubuntu USN-1294-1 linux-lts-backport-oneiric 2011-12-08
Ubuntu USN-1293-1 linux 2011-12-08
Ubuntu USN-1292-1 linux-lts-backport-maverick 2011-12-08
Ubuntu USN-1286-1 linux 2011-12-03
Fedora FEDORA-2011-16346 kernel 2011-11-23
Oracle ELSA-2011-1465 kernel 2011-11-28
Oracle ELSA-2011-2033 unbreakable kernel 2011-11-28
Oracle ELSA-2011-2033 unbreakable kernel 2011-11-28

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-2203
Created:November 29, 2011 Updated:November 30, 2011
Description: From the Red Hat advisory:

A NULL pointer dereference flaw was found in the Linux kernel's HFS file system implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains a specially-crafted HFS file system with a corrupted MDB extent record.

Alerts:
SUSE SUSE-SU-2012:0364-1 Real Time Linux Kernel 2012-03-14
openSUSE openSUSE-SU-2012:0236-1 kernel 2012-02-09
openSUSE openSUSE-SU-2012:0206-1 kernel 2012-02-09
Ubuntu USN-1344-1 linux 2012-01-24
Ubuntu USN-1345-1 linux 2012-01-24
Ubuntu USN-1341-1 linux 2012-01-23
Ubuntu USN-1340-1 linux-lts-backport-oneiric 2012-01-23
Ubuntu USN-1337-1 linux-lts-backport-natty 2012-01-23
Ubuntu USN-1332-1 linux-lts-backport-maverick 2012-01-13
Ubuntu USN-1330-1 linux-ti-omap4 2012-01-13
Ubuntu USN-1328-1 linux-mvl-dove 2012-01-13
Ubuntu USN-1323-1 linux 2012-01-11
Ubuntu USN-1325-1 linux-ti-omap4 2012-01-11
Ubuntu USN-1324-1 linux-ec2 2012-01-11
Ubuntu USN-1322-1 linux 2012-01-09
Ubuntu USN-1319-1 linux-ti-omap4 2012-01-05
Ubuntu USN-1318-1 linux-fsl-imx51 2012-01-05
SUSE SUSE-SU-2011:1319-2 Linux kernel 2011-12-14
SUSE SUSE-SU-2011:1319-1 Linux kernel 2011-12-13
SUSE SUSE-SA:2011:046 kernel 2011-12-13
Scientific Linux SL-kern-20111129 kernel 2011-11-29
CentOS CESA-2011:1479 kernel 2011-11-30
Oracle ELSA-2011-1479 kernel 2011-11-30
Red Hat RHSA-2011:1479-01 kernel 2011-11-29

Comments (none posted)

net6: multiple vulnerabilities

Package(s):net6 CVE #(s):CVE-2011-4093 CVE-2011-4091
Created:November 25, 2011 Updated:January 5, 2012
Description: From the Red Hat bugzilla::

Vasiliy Kulikov reported that libnet6 did not check the basic_server::id_counter for integer overflows. This number is used to distinguish different users, so an attacker that was able to open UINT_MAX successive connections could get an identifier of an already existing connection, allowing them to hijack that user's connection. (CVE-2011-4093)

Red Hat bugzilla:

Vasiliy Kulikov reported that libnet6 would check for user color collisions prior to authentication. This could allow for the disclosure of certain user information by users that were not authenticated. (CVE-2011-4091)

Alerts:
openSUSE openSUSE-SU-2012:0008-1 net6 2012-01-05
Fedora FEDORA-2011-15332 net6 2011-11-03
Fedora FEDORA-2011-15326 net6 2011-11-03
Fedora FEDORA-2011-15363 net6 2011-11-03

Comments (none posted)

rest, libsocialweb: multiple vulnerabilities

Package(s):rest, libsocialweb CVE #(s):CVE-2011-4129
Created:November 25, 2011 Updated:November 23, 2012
Description: A connection to twitter servers is is established by default, whether you want them or not. See the Red Hat bugzilla for details.
Alerts:
Fedora FEDORA-2011-15839 libsocialweb 2011-11-13
Fedora FEDORA-2011-15839 rest 2011-11-13
Fedora FEDORA-2011-15833 libsocialweb 2011-11-13
Fedora FEDORA-2011-15833 rest 2011-11-13

Comments (none posted)

ReviewBoard: cross-site scripting

Package(s):ReviewBoard CVE #(s):CVE-2011-4312
Created:November 29, 2011 Updated:November 30, 2011
Description: From the Red Hat bugzilla:

A cross-site scripting (XSS) flaw was found in the way the commenting system of the ReviewBoard, a web-based code review tool, sanitized user input (new comments to be loaded). A remote attacker could provide a specially-crafted URL, which once visited by valid ReviewBoard user could lead to arbitrary HTML or web script execution in the 'diff viewer' or 'screenshot pages' components.

Alerts:
Fedora FEDORA-2011-15933 ReviewBoard 2011-11-15
Fedora FEDORA-2011-15935 ReviewBoard 2011-11-15

Comments (none posted)

update-manager: multiple vulnerabilities

Package(s):update-manager CVE #(s):CVE-2011-3152 CVE-2011-3154
Created:November 28, 2011 Updated:February 16, 2012
Description: From the Ubuntu advisory:

David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152)

David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154)

Alerts:
Ubuntu USN-1284-2 update-manager 2012-02-16
Ubuntu USN-1284-1 update-manager 2011-11-28

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds