Secunia SmallBusiness
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Secunia Advisory SA47063

HP LaserJet Printers / Digital Senders Unauthorized Firmware Update Security Issue
Secunia Advisory SA47063
Secunia VIM 4.0 - Free Trial
Release Date 2011-12-01
Last Update 2012-04-27
   
Popularity 2,648 views
Comments 0 comments

Criticality level Moderately criticalModerately critical
Impact Security Bypass
Where From local network
Authentication level This information is available to Secunia VIM customers
   
Report reliability This information is available to Secunia VIM customers
Solution Status Partial Fix
   
Systems affected This information is available to Secunia VIM customers
Approve distribution This information is available to Secunia VIM customers
   
Operating System
HP 9200C Digital Sender
HP 9250 Digital Sender
HP CM8000 Color MFP Series
HP Color LaserJet 2800 All-in-One Printer Series
HP Color LaserJet 3000 Series
HP Color LaserJet 3800 Series
HP Color LaserJet 4700 Series
HP Color LaserJet 4730 Series
HP Color LaserJet 5550 Series
HP Color LaserJet 9500 Series
HP Color LaserJet CM1312 Multifunction Printer Series
HP Color LaserJet CM2320 Multifunction Printer series
HP Color LaserJet CM3530 Series
HP Color LaserJet CM4730 Multifunction Printer Series
HP Color LaserJet CM6030/CM6040 MFP Series
HP Color LaserJet CP1210 Printer series
HP Color LaserJet CP1510 Printer Series
HP Color LaserJet CP2025 Printer series
HP Color LaserJet CP3505 Series
HP Color LaserJet CP3525 Series
HP Color LaserJet CP4005 Series
HP Color LaserJet CP4025 / CP 4525 Series
HP Color Laserjet CP5525 Series
HP Color LaserJet CP6015
HP Color LaserJet Enterprise CM4540 Series
HP Color LaserJet Enterprise CP4520 Printer series
HP Color LaserJet Enterprise CP4525
HP Color LaserJet P4014 / P4015 / P4515 Series
HP Color LaserJet Professional CP5225 Printer series
HP LaserJet 2400 Printer Series
HP LaserJet 4240 / 4250 / 4340 Series
HP LaserJet 4345 Series
HP LaserJet 4350 Series
HP LaserJet 5200 Series
HP LaserJet 9040/9050 Series
HP LaserJet Enterprise 500 color M551 Series
HP LaserJet Enterprise 600 Series
HP LaserJet Enterprise M4555 MFP Series
HP LaserJet Enterprise P3015 Series
HP LaserJet M1120 Multifunction Printer Series
HP LaserJet M1319 Multifunction Printer Series
HP LaserJet M2727 Multifunction Printer series
HP LaserJet M3027/3035 MFP
HP LaserJet M3035 MFP Series
HP LaserJet M4345 Multifunction Printer series
HP LaserJet M5025/5035 MFP
HP LaserJet M5035 MFP Series
HP LaserJet M9040/M9050 Multifunction Printer series
HP LaserJet P1500 Printer series
HP LaserJet P2035 Printer series
HP LaserJet P2055 Printer series
HP LaserJet P3005 Series
HP LaserJet P4515
HP Laserjet Printer 5200 Series
HP LaserJet Pro 100 Color M175 Multifunction Printer series
HP LaserJet Pro CM1415 Color Multifunction Printer series
HP LaserJet Pro CP1025 Color Printer Series
HP LaserJet Pro CP1525 Color Printer series
HP LaserJet Pro M1136 Multifunction Printer series
HP LaserJet Pro M1212nf Multifunction Printer series
HP LaserJet Pro M1536 Multifunction Printer series
HP LaserJet Pro P1102 Printer Series
HP LaserJet Pro P1606dn Printer
Secunia CVSS Score This information is available to Secunia VIM Customers
CVE Reference(s) CVE-2011-4161 CVSS score available to Secunia VIM customers
  

Description

A security issue has been reported in various HP LaserJet Printers and HP Digital Senders, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the Remote Firmware Update (RFU) mechanism, which does not check for authentication when handling firmware updates. This can be exploited to upload a malicious firmware to device via a specially crafted request to TCP port 9100.

Please see the vendor's advisory for the list of affected products.


Solution
Apply firmware update. Please see the vendor's advisory for details. As a workaround disable the "Printer Firmware Update" setting.

Provided and/or discovered by
Salvatore Stolfo and Ang Cui, Columbia University.

Changelog
Further details available to Secunia VIM customers

Original Advisory
HPSBPI02728 SSRT100692:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03102449

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers


Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: HP LaserJet Printers / Digital Senders Unauthorized Firmware Update Security Issue
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2013 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability