update their devices' firmware or risk having remote attackers access
previously-printed documents.
In an advisory published Wednesday, HP said that users of certain
LaserJet, Color LaserJet and Digital Sender models are affected, and
urged them to immediately download and install firmware upgrades.
The devices include 10 different LaserJet models -- ranging from the
2410 to the 9050 -- two Color LaserJet models and the 9200C Digital
Sender, a sheet-fed document scanner.
According to San Antonio, Texas-based Digital Defense, Inc., the
security company that reported the problem to HP last October,
attackers can exploit a bug in the printers' Web-based control
interface to "read arbitrary system configuration files, cached
documents, etc."
Exploiting the vulnerability, the Digital Defense researchers said, is
"trivial" with common Web server "directory traversal" tactics. A
directory transversal attack is an HTTP-based exploit that lets
attackers access restricted directories, and execute commands outside
of the server's root directory.
Adrien de Beaupre, an analyst with the SANS Institute 's Internet
Storm Center (ISC), added his voice to the call for patching printers.
"The impact might not seem severe, as in the attacker can view the
printer configuration; however, viewing cached versions of printed
No comments:
Post a Comment