Date: Fri, 11 Dec 1998 10:46:36 -0500 (EST) From: X-Force To: alert@iss.net Cc: X-Force Subject: ISSalert: ISS Security Advisory: HP JetDirect TCP/IP problems -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 10, 1998 HP JetDirect TCP/IP problems Synopsis: This advisory covers a number of miscellaneous issues regarding HP JetDirect printer interface cards and print servers of various vintage. HP has addressed many of these issues in newer JetDirect print server products (Fall 98). More information about newer products and upgrades are available from HP contact representatives. Older TCP/IP implementations on HP JetDirect cards and servers are vulnerable to a wide variety of Denial of Service (DoS) attacks which subsequently require power cycling the server or the printer to recover. Most of these sundry problems have been discussed on the BugTraq mailing list, bugtraq@netspace.org. Most point up a particularly fragile TCP/IP implementation subject to race conditions and poor error recovery. Older JetDirect servers and cards attempt to emulate an lpd style printing system. This emulation suffers from several limitations which may or may not relate to the TCP/IP vulnerabilities. Because of the single-threaded nature of the older JetDirect interface, whenever one of the JetDirect access ports is occupied, the other ports are unavailable. The consequence is that the older JetDirect cannot truly emulate the spooler characteristics. When the older JetDirect is receiving lpd data, it is unavailable to lpq/lpstat queries. If anything goes wrong in this single-threaded interface, all access can be denied to the printer. Newer JetDirect interfaces feature a web interface for configuration, access, and control. Because the interface does not use SSL encryption, the potential exists for exposing sensitive information such as administrative passwords and configuration information to sniffing attacks. Recommendations: HP has newer versions of the JetDirect print server products available which fix most of the problems associated with the older interfaces and print servers. If an upgrade is available, the JetDirect card or firmware should be upgraded. Contact HP for more information concerning upgrade or replacement availability. For those products for which an upgrade or replacement is not readily available, it may be possible to tolerate or compensate for these problems when recognized. If possible, limit all access to the JetDirect interface to the absolute minimum required. Do not allow access to older JetDirect cards from outside of areas not under reasonable supervision or control. While blocking access from outside networks might be a minimum consideration, some internal controls to limit "practical jokes" would also be advisable. With the reasonable cost of PCs, it may be more cost effective to replace older JetDirect servers with tiny PC systems with full spooler functionality and a more robust TCP/IP implementation. Another option could be to hide older JetDirect cards or servers behind other systems with spoolers and strictly limit JetDirect card access to designated spooling systems. Then force all other users to work through the designated spooler systems. This may be a viable alternative where spooler systems already exist on the network with the older JetDirect cards. Access to the web interface of the newer JetDirect cards should be limited, and access from outside of controlled networks should be restricted. While there are no specific vulnerabilities known in the JetDirect web servers at this time, unrestricted access could result in the leakage of sensitive configuration information about the printer. Passwords and community string names should be different from any other passwords or devices to protect other network facilities from inadvertent leakage of printer information. Detailed Specific Problems: Older HP JetDirect cards and servers of various revisions have been demonstrated to fail under the following attacks: HP Display Hack (from sili@l0pht.com): The HP Display Hack from L0pht allows someone to print arbitrary messages of up to 16 characters on HP printers with LCD panels. When used just prior to one of the DoS attacks below, it's possible for an attacker to perform "social engineering" attacks where they post something like a telephone number (toll) on the display panel and then kill the interface. Some users could be tricked into placing expensive calls thinking they were calling for service as instructed by the printer. This vulnerability and the exploit code has been posted to the BugTraq mailing list. This is a feature of the printer control language and is present in newer versions of the JetDirect interfaces. Syn "Dripping": Even though the JetDirect cards are not subject to syn flooding per se, due to the single threaded TCP/IP stack, even a single SYN packet can lock up the older interface for a significant period of time (tens of seconds to as much as a minute). Thus the printer can be subjected to a denial of service attack by slowly dripping SYN packets with non- responding "from" addresses directed to the older JetDirect interface. If this is directed at more than one of the JetDirect ports, the interface may lock up, as in the repeated rapid port scanning DoS described below. This problem was uncovered at Internet Security Systems during the analysis of other JetDirect problems. Newer multi-threaded versions of the JetDirect interfaces are not vulnerable to this problem. Repeated rapid port scanning: Some scanning tools use parallel port scanning to improve scanning speed. Parallel scanning of multiple ports on the older JetDirect cards has a high probability of causing a complete lockup of the JetDirect network interface. The fact that the DoS is not deterministic, and the failure rate is highly dependent on the timing and speed of the scan, indicates that this is a timing window or race condition in the TCP/IP stack on the older JetDirect. Rapidly scanning ports 9099 and 9100 can very quickly cause this failure, and scanning 9099 and 9100 from a low order port such as port 20 (ftp data) could slip past some filtering firewalls. This lockup is not accompanied by any particular LCD panel display, permitting it to be used in combination with the HP Display Hack described above. This problem was uncovered at Internet Security Systems during routine product testing. This problem may still be present, but much more difficult to exploit, in newer versions of the JetDirect interfaces and newer JetDirect print servers. Land: Land is a spoofed attack where a connection appears to be addressed to an address:port combination from that same address:port combination. This attack causes some TCP/IP stacks to lock dead. The older JetDirect TCP protocol stack is vulnerable to land attacks. This attack can be blocked >from the outside by any reasonable anti-spoofing filters on firewalls or routers. This lockup is not accompanied by any particular LCD panel display, permitting it to be used in combination with the HP Display Hack above. This vulnerability has been discussed on the BugTraq mailing list. This problem is not present in newer versions of the JetDirect interfaces. Nestea / Nestea2: Nestea is a variation of the TearDrop-style fragmentation attacks. By mishandling peculiar fragmentation reassemblies, certain TCP/IP stacks will fail. Older JetDirect cards are vulnerable to this style of attack. Printers with LCD displays may display a service error code. This attack can be blocked from the outside by any device which does full packet reassembly, such as a proxy-style firewall or a router with packet reassembly. Because this problem generally results in a service or error code displayed on the LCD panel, it is less likely to be used in conjunction with the HP Display Hack described above. This vulnerability has been discussed on the BugTraq mailing list. This problem is not present in newer versions of the JetDirect interfaces. SNMP: The default SNMP community names on the older JetDirect cards and servers allow for very rapid identification of vulnerable printers which may be subjected to these various attacks. The community names on the JetDirect cards should be changed. On some older versions of the JetDirect interfaces, changing the SNMP community names added the new community names, but the interface would still respond to the old community name. While SNMP community names should not be considered secure, these older cards may give a false sense of protection or behavior. The problem with not being able to disable the older community name is not present in newer versions of the JetDirect interfaces. Additional Information: This vulnerability was primarily researched by Michael H. Warfield of the ISS X-Force. Our appreciation to the individuals at Hewlett Packard who assisted us in evaluating these problems and the current state of the JetDirect interface. ________ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNnE1zDRfJiV99eG9AQG8/gP+KcbZ9pxlqe7LTohBbn/brLRwLt4Mmlmy 8/0ilu9nD9lFZXieuQh4ZjK2WXXWNaJfloUxCtNZeOBV/aKNb7N4zROsqAfZgiOJ 4XvnmeAep7f7it5ZUy9+cgpBQrfjRNduOFoAa2m/sqPwLX46dS4FppIK8NnYbkij 4TTJfIdEeCY= =WSju -----END PGP SIGNATURE-----