Jump to content

HP firmware to 'mitigate' LaserJet vulnerability


ShyWriter

Recommended Posts

.

c54sM.jpg

HP firmware to 'mitigate' LaserJet vulnerability

by Jonathan E. Skillings December 23, 2011 10:00 AM PST

HP_printer_02_270x184.jpg -- (Credit: Hewlett-Packard)

Hewlett-Packard said today that it has taken steps to prevent "a certain type of unauthorized access" to LaserJet printers.

The company didn't describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word "mitigate," the dictionary definition of which is "to make less severe or painful." Here's HP's full statement on the matter:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said "there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers."

At that time, it described the nature of the problem, and promised a firmware update to address the issues:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or
environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP also at that time decried "speculation" that the LaserJets in question could catch fire because of a firmware update or "this proposed vulnerability."

Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.

Source: http://news.cnet.com...-vulnerability/

FIX: s.gif

s.gifs.gifs.gifHP LaserJet Firmware Update Now Available

PALO ALTO, Calif., Dec. 23, 2011

On Nov. 29, HP announced that the potential existed for a certain type of unauthorized access to some HP LaserJet printers and confirmed it has received no customer reports of unauthorized access. HP today issued the following statement:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

The firmware update can be found at www.hp.com/support and selecting Drivers.

Additional printer security information is available at www.hp.com/go/secureprinting.

--End

Steve

Link to post
Share on other sites

I do not know what firmware they elude to.

Is that printer firmware or is that JetDirect firmware ?

Is that ONLY for printers with embedded print servers or is that for printer that uses an embedded Ethernet port or and addition JetDirect via an AIO port ?

There are a myriad of variations. For some printers with embedded print servers you have to update the firmware of the printer which also includes the print server. Others have a separate Printer Firmware and JetDirect Firmware. For example for one DesignJet I manged, the Firmware was for both the printer and embedded Ethernet (10/100/1000) port and was a whopping 512MB. { which led me to believe it was less of a Firmware and more of an OS image update }.

I manage numerous JetDirect enabled devices so I keep a repository of JetDirect Firmware. I swept the HP FTP server and don't see any new JetDirect Firmware which leaves me hungry for specific information concerning this broad-ranging vulnerability mitigation.

Link to post
Share on other sites

Steve, that's a picture of an HP OfficeJet printer, which is an inkjet printer designed for office use...

Here's a picture of a multifunction LaserJet. See how it's taller than the OfficeJet? The fuser and the toner take up a lot of space, so the printer has to be bigger.

ce841a_300.jpg

Edit: Just for fun, here's a picture of a LaserJet that I have installed in a lot of businesses:

ce527a_300.jpg

Link to post
Share on other sites

Steve, that's a picture of an HP OfficeJet printer, which is an inkjet printer designed for office use...

Here's a picture of a multifunction LaserJet. See how it's taller than the OfficeJet? The fuser and the toner take up a lot of space, so the printer has to be bigger.

ce841a_300.jpg

Edit: Just for fun, here's a picture of a LaserJet that I have installed in a lot of businesses:

ce527a_300.jpg

I just use the articles I find and repost them smarty-pants.. *grin* I even give the source which if you'll check has the same picture of the wrong printer. :P

If I have to start proofreading other, PAID, writer's/columnist's work then I'll never make it to age 69.. Speaking of which, I just turned 68 years old on December 17th; where's my cake?? ;)

Santa Claus is coming to town.. be good. *laugh*

Steve..

Link to post
Share on other sites

Steve, that's a picture of an HP OfficeJet printer, which is an inkjet printer designed for office use...

You are absolutely correct. However, i can not imagined that the so-called vulnerability would only affect laser printers and would affect any printing device with a network interface. However getting real technical information and a list of "affected" devices is extremely hard to come by. I have a theory of why this is but not willing to share it at this time.

Link to post
Share on other sites

I do not know what firmware they elude to.

Is that printer firmware or is that JetDirect firmware ?

Is that ONLY for printers with embedded print servers or is that for printer that uses an embedded Ethernet port or and addition JetDirect via an AIO port ?

There are a myriad of variations. For some printers with embedded print servers you have to update the firmware of the printer which also includes the print server. Others have a separate Printer Firmware and JetDirect Firmware. For example for one DesignJet I manged, the Firmware was for both the printer and embedded Ethernet (10/100/1000) port and was a whopping 512MB. { which led me to believe it was less of a Firmware and more of an OS image update }.

I manage numerous JetDirect enabled devices so I keep a repository of JetDirect Firmware. I swept the HP FTP server and don't see any new JetDirect Firmware which leaves me hungry for specific information concerning this broad-ranging vulnerability mitigation.

Dave; what can I say?? There was a security exploit concerning HP Printers announced a few weeks ago. I noted in my newspaper today that HP was making a fix available so I went looking, via GOOGLE, for a computer news site and the several I checked, including the official HP press release I attached to the CNET article, gave the firmware update at HP's support site. I have a Brother MFC-7440N myself. My last HP printer was a LaserJet 4P back when laser printers speed along at 4 pages a minute and cost $999 at CompUSA.:huh: Talk about getting ripped off.

I don't write or ameliorate the articles I pass along; that's why I always give a source and usually a source image header so people won't accuse me of plagiarizing someone else's work :unsure:

Wish I could help with the actual firmware link but it's out of my bailiwick. :(

Steve..

Link to post
Share on other sites

Dave; what can I say?? There was a security exploit concerning HP Printers announced a few weeks ago. I noted in my newspaper today that HP was making a fix available so I went looking, via GOOGLE, for a computer news site and the several I checked, including the official HP press release I attached to the CNET article, gave the firmware update at HP's support site. I have a Brother MFC-7440N myself. My last HP printer was a LaserJet 4P back when laser printers speed along at 4 pages a minute and cost $999 at CompUSA.:huh: Talk about getting ripped off.

I don't write or ameliorate the articles I pass along; that's why I always give a source and usually a source image header so people won't accuse me of plagiarizing someone else's work :unsure:

Wish I could help with the actual firmware link but it's out of my bailiwick. :(

Steve..

Steve, my reply isn't specifically to you. It is for the greater audience and I think there needs greater detail for this particular vulnerability mitigation.

Link to post
Share on other sites

.

post-35425-0-51130900-1324768147.jpg

HP issues LaserJet firmware update, hopefully ends exploding printer saga

By Daniel Cooper writer_rss.gif posted Dec 23rd 2011 3:08PM

printerbomb.jpg

Some of you might remember the story that HP LaserJet printers might be open to hack attacks that could result in some not-so-spontaneous combustion? Now the company has issued a statement saying that no-one reported their printer exploding, but to be on the safe side, it's produced a firmware update (available at the source link) that'll close the hole and ensure your Holiday doesn't end with a visit from the fire department.

Source: http://www.engadget....-exploding-pri/

post-35425-0-64131800-1324767762.jpg

HP LaserJet Firmware Update Now Available

PALO ALTO, Calif., Dec. 23, 2011: On Nov. 29, HP announced that the potential existed for a certain type of unauthorized access to some HP LaserJet printers and confirmed it has received no customer reports of unauthorized access. HP today issued the following statement:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

The firmware update can be found at www.hp.com/support and selecting Drivers.

Additional printer security information is available at www.hp.com/go/secureprinting.

About HP

HP creates new possibilities for technology to have a meaningful impact on people, businesses, governments and society. The world's largest technology company, HP brings together a portfolio that spans printing, personal computing, software, services and IT infrastructure to solve customer problems. More information about HP (NYSE: HPQ) is available at http://www.hp.com.

Source:

HP Technical Support

EDIT: I (Steve) read something somewhere that inferred the problem was isolated to LINUX and MacOS operating systems so that may be why Window's IT professionals are unable to find a specific M$ type firmware upgrade.

--End

Steve

Edited by ShyWriter
Link to post
Share on other sites

EDIT: I (Steve) read something somewhere that inferred the problem was isolated to LINUX and MacOS operating systems so that may be why Window's IT professionals are unable to find a specific M$ type firmware upgrade.

If it is a printer related Firmware then it is OS independent and the OS is a moot point.

Link to post
Share on other sites

If it is a printer related Firmware then it is OS independent and the OS is a moot point.

EXCERPTED:

HP writes to us in a tersely worded email:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.

Source: http://www.dailytech.com/HP+Printers+Will+Stop+Themselves+Before+Hackers+Set+Them+On+Fire/article23396.htm

Steve

Link to post
Share on other sites

Again pointing to a Firmware upgrade and *any* OS can be used to to perform this. The issue is through the network interface and thus and OS can generate the packets and most likley using HP PCL to accomplish the task. Thus there is probably misinformation being distributed.

Note also "HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating..." since only laser printers use a fusing element, this precludes inkjets and negates my previous statement "...would affect any printing device with a network interface."

Finally note the sentence; "...securing devices by placing printers behind a firewall..." which is what I wrote when you posted about this vulnerability weeks ago. Remember ?

Link to post
Share on other sites

I just use the articles I find and repost them smarty-pants.. *grin* I even give the source which if you'll check has the same picture of the wrong printer. :P

Yes, I know. That's why I was giving you a hard time. ;)

You are absolutely correct. However, i can not imagined that the so-called vulnerability would only affect laser printers and would affect any printing device with a network interface. However getting real technical information and a list of "affected" devices is extremely hard to come by. I have a theory of why this is but not willing to share it at this time.

According to the statements from HP quoted in the article, it was a vulnerability in the way certain laser printers of the LaserJet line handled print jobs, and that not all LaserJet printers were effected. Since not all printers have the exact same hardware inside for processing print jobs and not all printers handle print jobs in exactly the same way, that this vulnerability most likely did not effect OfficeJet printers.

I could, of course, be wrong, however I do not expect OfficeJet printers to be effected by the exact same security vulnerability. Now I wouldn't be surprised if there was a similar security vulnerability in OfficeJet printers, but I would not expect an exploit for that (if it existed) to be compatible with the effected models of LaserJet printers.

Link to post
Share on other sites

Also, for those who are still confused as to the nature of the vulnerability, take a look at this quote from HP:

In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

If we think about that statement for a minute, we hopefully would notice this: "specially formatted corrupt print job". This means that it is not an issue specifically with the network interface (the JetDirect card), but is in fact an issue with how the printer is decoding the print job.

HP is stating that this is a Unix/Mac issue because Unix environments (Linux, BSD, Mac, etc) use CUPS (Centralized Unix Printing System) to handle printing. This probably means that whatever corruption in a print job triggers this exploit cannot be sent intact through the Windows printer API's.

As far as this thing about the firmware update being Unix/Mac only, I have no clue what they are talking about. I checked the driver and downloads for the HP LaserJet P4015d and while there are Unix and Mac specific firmware updates listed (most likely binaries for those who have the printer hooked up via USB), there is also a Windows firmware file and a generic cross-platform firmware file for the web interface listed under the "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" link listed below the operating system selections (no I don't know why there's a Windows-specific firmware download listed in the "cross operating system" section).

Link to post
Share on other sites

Also, for those who are still confused as to the nature of the vulnerability, take a look at this quote from HP:

In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

If we think about that statement for a minute, we hopefully would notice this:
"specially formatted corrupt
print job
"
. This means that it is not an issue specifically with the network interface (the JetDirect card), but is in fact an issue with how the printer is decoding the print job.

But they are saying it is mitigated via a Firewall indicating said print-job would be done via TCP/IP.

HP is stating that this is a Unix/Mac issue because Unix environments (Linux, BSD, Mac, etc) use CUPS (Centralized Unix Printing System) to handle printing. This probably means that whatever corruption in a print job triggers this exploit cannot be sent intact through the Windows printer API's.

Isn't CUPS based upon PostScript?

PostScript is less capable than HP PCL.

As far as this thing about the firmware update being Unix/Mac only, I have no clue what they are talking about. I checked the driver and downloads for the
and while there are Unix and Mac specific firmware updates listed (most likely binaries for those who have the printer hooked up via USB), there is also a Windows firmware file and a generic cross-platform firmware file for the web interface listed under the "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" link listed below the operating system selections (no I don't know why there's a Windows-specific firmware download listed in the "cross operating system" section).

There is much confusing information and I'd like to see the REAL comments on a HP web page or whitepaper and NOT some quote that C/Net printed in an article and is copied by everyone else.

Link to post
Share on other sites

[...]

There is much confusing information and I'd like to see the REAL comments on a HP web page or whitepaper and NOT some quote that C/Net printed in an article and is copied by everyone else.

If you will check the PRESS RELEASE *I* added to the article you will see it is word-for-word for the press release below copied from Arthur's HP Press Info link..

LLush.gif . . . . HP Newsroom > News releases

s.gif

News release

HP LaserJet Firmware Update Now Available

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

PALO ALTO, Calif., Dec. 23, 2011

On Nov. 29, HP announced that the potential existed for a certain type of unauthorized access to some HP LaserJet printers and confirmed it has received no customer reports of unauthorized access. HP today issued the following statement:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

The firmware update can be found at www.hp.com/support and selecting Drivers.

Additional printer security information is available at www.hp.com/go/secureprinting.

About HP

HP creates new possibilities for technology to have a meaningful impact on people, businesses, governments and society. The world’s largest technology company, HP brings together a portfolio that spans printing, personal computing, software, services and IT infrastructure to solve customer problems. More information about HP (NYSE: HPQ) is available at http://www.hp.com.

--END

Steve..

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.