ARN

HP urges LaserJet users to patch printers

Attackers can access printed documents by exploiting Web interface.

Hewlett-Packard has warned owners of some of its laser printers to update their devices' firmware or risk having remote attackers access previously-printed documents.

In an advisory published Wednesday, HP said that users of certain LaserJet, Color LaserJet and Digital Sender models are affected, and urged them to immediately download and install firmware upgrades.

The devices include 10 different LaserJet models -- ranging from the 2410 to the 9050 -- two Color LaserJet models and the 9200C Digital Sender, a sheet-fed document scanner.

According to Digital Defense, the security company that reported the problem to HP last October, attackers can exploit a bug in the printers' Web-based control interface to "read arbitrary system configuration files, cached documents, etc."

Exploiting the vulnerability, the Digital Defense researchers said, is "trivial" with common Web server "directory traversal" tactics. A directory transversal attack is an HTTP-based exploit that lets attackers access restricted directories, and execute commands outside of the server's root directory.

Adrien de Beaupre, an analyst with the SANS Institute's Internet Storm Center (ISC), added his voice to the call for patching printers. "The impact might not seem severe, as in the attacker can view the printer configuration; however, viewing cached versions of printed documents can be," said de Beaupre in an alert on the ISC site Friday.

Other than patching, the only other defensive measure available is to disable access to the printers' online control interface, de Beaupre added.

HP listed the affected printers in a security bulletin , which also included instructions on how to download the firmware update.

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

More about: Digital Defense, etwork, Hewlett-Packard, HP, SANS Institute
References show all

Comments

1

cxbaqs

Wed 11/03/2009 - 21:33

gjkAoNbnPDSXePV

rHK4gG <a href="http://obissxktoftn.com/">obissxktoftn</a>, [url=http://mopfxdtlrysi.com/]mopfxdtlrysi[/url], [link=http://bqujaetbevwk.com/]bqujaetbevwk[/link], http://keevigzklsdn.com/

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: HP
ARN Directory | Distributors relevant to this article
Alloys , ASI Solutions , Australasian PC Distributors (APCD) , Australian IT Spares , Avnet Technology Solutions , Banksia Software , Bluechip Infotech , Dicker Data , ICT Distribution , Impact Systems Technology , Lynx Technologies , Synnex Australia , Topstar Computer International , XiT Distribution , Xpress I.T. , Dynamic Supplies , Fusion Power Systems , Sektor
ARN Directory | Vendors relevant to this article
HP
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/avg/213_avg-internet-security-3-pc-2-year-10-pack-reta
AVG (AU/NZ) Pty Ltd

AVG Internet Security 2012 10 Pack Retail Specials

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.