[LWN Logo]

Date:	Fri, 11 Dec 1998 19:07:08 +0100
From:	Phear Me <patrick@ERNIE.MONSTER.ORG>
Subject:      FW: ISSalert: ISS Security Advisory: HP JetDirect TCP/IP problems
To:	BUGTRAQ@NETSPACE.ORG

-----Original Message-----
From: owner-alert@iss.net [mailto:owner-alert@iss.net] On Behalf Of
X-Force
Sent: Friday, December 11, 1998 4:47 PM
To: alert@iss.net
Cc: X-Force
Subject: ISSalert: ISS Security Advisory: HP JetDirect TCP/IP problems


-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
December 10, 1998

HP JetDirect TCP/IP problems


Synopsis:

This advisory covers a number of miscellaneous issues regarding HP
JetDirect printer interface cards and print servers of various vintage. HP
has addressed many of these issues in newer JetDirect print server
products (Fall 98).  More information about newer products and upgrades
are available from HP contact representatives.

Older TCP/IP implementations on HP JetDirect cards and servers are
vulnerable to a wide variety of Denial of Service (DoS) attacks which
subsequently require power cycling the server or the printer to recover.
Most of these sundry problems have been discussed on the BugTraq mailing
list, bugtraq@netspace.org.  Most point up a particularly fragile TCP/IP
implementation subject to race conditions and poor error recovery.

Older JetDirect servers and cards attempt to emulate an lpd style printing
system.  This emulation suffers from several limitations which may or may
not relate to the TCP/IP vulnerabilities.

Because of the single-threaded nature of the older JetDirect interface,
whenever one of the JetDirect access ports is occupied, the other ports
are unavailable.  The consequence is that the older JetDirect cannot truly
emulate the spooler characteristics.  When the older JetDirect is
receiving lpd data, it is unavailable to lpq/lpstat queries.  If anything
goes wrong in this single-threaded interface, all access can be denied to
the printer.

Newer JetDirect interfaces feature a web interface for configuration,
access, and control.  Because the interface does not use SSL encryption,
the potential exists for exposing sensitive information such as
administrative passwords and configuration information to sniffing
attacks.


Recommendations:

HP has newer versions of the JetDirect print server products available
which fix most of the problems associated with the older interfaces and
print servers.  If an upgrade is available, the JetDirect card or
firmware should be upgraded.  Contact HP for more information concerning
upgrade or replacement availability.

For those products for which an upgrade or replacement is not readily
available, it may be possible to tolerate or compensate for these
problems when recognized.

If possible, limit all access to the JetDirect interface to the absolute
minimum required.  Do not allow access to older JetDirect cards from
outside of areas not under reasonable supervision or control.  While
blocking access from outside networks might be a minimum consideration,
some internal controls to limit "practical jokes" would also be advisable.

With the reasonable cost of PCs, it may be more cost effective to replace
older JetDirect servers with tiny PC systems with full spooler
functionality and a more robust TCP/IP implementation.

Another option could be to hide older JetDirect cards or servers behind
other systems with spoolers and strictly limit JetDirect card access to
designated spooling systems.  Then force all other users to work through
the designated spooler systems.  This may be a viable alternative where
spooler systems already exist on the network with the older JetDirect
cards.

Access to the web interface of the newer JetDirect cards should be
limited, and access from outside of controlled networks should be
restricted.  While there are no specific vulnerabilities known in the
JetDirect web servers at this time, unrestricted access could result in
the leakage of sensitive configuration information about the printer.
Passwords and community string names should be different from any other
passwords or devices to protect other network facilities from inadvertent
leakage of printer information.


Detailed Specific Problems:

Older HP JetDirect cards and servers of various revisions have been
demonstrated to fail under the following attacks:


HP Display Hack (from sili@l0pht.com):

The HP Display Hack from L0pht allows someone to print arbitrary messages
of up to 16 characters on HP printers with LCD panels.  When used just
prior to one of the DoS attacks below, it's possible for an attacker to
perform "social engineering" attacks where they post something like a
telephone number (toll) on the display panel and then kill the interface.
Some users could be tricked into placing expensive calls thinking they
were calling for service as instructed by the printer.  This vulnerability
and the exploit code has been posted to the BugTraq mailing list.

This is a feature of the printer control language and is present in newer
versions of the JetDirect interfaces.


Syn "Dripping":

Even though the JetDirect cards are not subject to syn flooding per se,
due to the single threaded TCP/IP stack, even a single SYN packet can
lock up the older interface for a significant period of time (tens of
seconds to as much as a minute).  Thus the printer can be subjected to a
denial of service attack by slowly dripping SYN packets with non-
responding "from" addresses directed to the older JetDirect interface.  If
this is directed at more than one of the JetDirect ports, the interface
may lock up, as in the repeated rapid port scanning DoS described below.

This problem was uncovered at Internet Security Systems during the
analysis of other JetDirect problems.

Newer multi-threaded versions of the JetDirect interfaces are not
vulnerable to this problem.


Repeated rapid port scanning:

Some scanning tools use parallel port scanning to improve scanning speed.
Parallel scanning of multiple ports on the older JetDirect cards has a
high probability of causing a complete lockup of the JetDirect network
interface.  The fact that the DoS is not deterministic, and the failure
rate is highly dependent on the timing and speed of the scan, indicates
that this is a timing window or race condition in the TCP/IP stack on the
older JetDirect.

Rapidly scanning ports 9099 and 9100 can very quickly cause this failure,
and scanning 9099 and 9100 from a low order port such as port 20 (ftp
data) could slip past some filtering firewalls.

This lockup is not accompanied by any particular LCD panel display,
permitting it to be used in combination with the HP Display Hack described
above.

This problem was uncovered at Internet Security Systems during routine
product testing.

This problem may still be present, but much more difficult to exploit, in
newer versions of the JetDirect interfaces and newer JetDirect print
servers.


Land:

Land is a spoofed attack where a connection appears to be addressed to an
address:port combination from that same address:port combination.  This
attack causes some TCP/IP stacks to lock dead.  The older JetDirect TCP
protocol stack is vulnerable to land attacks.  This attack can be blocked
from the outside by any reasonable anti-spoofing filters on firewalls or
routers. This lockup is not accompanied by any particular LCD panel
display, permitting it to be used in combination with the HP Display Hack
above. This vulnerability has been discussed on the BugTraq mailing list.

This problem is not present in newer versions of the JetDirect interfaces.


Nestea / Nestea2:

Nestea is a variation of the TearDrop-style fragmentation attacks.  By
mishandling peculiar fragmentation reassemblies, certain TCP/IP stacks
will fail.  Older JetDirect cards are vulnerable to this style of attack.
Printers with LCD displays may display a service error code.  This attack
can be blocked from the outside by any device which does full packet
reassembly, such as a proxy-style firewall or a router with packet
reassembly.

Because this problem generally results in a service or error code
displayed on the LCD panel, it is less likely to be used in conjunction
with the HP Display Hack described above.  This vulnerability has been
discussed on the BugTraq mailing list.

This problem is not present in newer versions of the JetDirect interfaces.


SNMP:

The default SNMP community names on the older JetDirect cards and servers
allow for very rapid identification of vulnerable printers which may be
subjected to these various attacks.  The community names on the JetDirect
cards should be changed.

On some older versions of the JetDirect interfaces, changing the SNMP
community names added the new community names, but the interface would
still respond to the old community name.  While SNMP community names
should not be considered secure, these older cards may give a false sense
of protection or behavior.

The problem with not being able to disable the older community name is not
present in newer versions of the JetDirect interfaces.


Additional Information:

This vulnerability was primarily researched by Michael H. Warfield of the
ISS X-Force. Our appreciation to the individuals at Hewlett Packard who
assisted us in evaluating these problems and the current state of the
JetDirect interface.

________

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this Alert
Summary in any other medium excluding electronic medium, please email
xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition.  There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:  http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to: X-Force
<xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNnE1zDRfJiV99eG9AQG8/gP+KcbZ9pxlqe7LTohBbn/brLRwLt4Mmlmy
8/0ilu9nD9lFZXieuQh4ZjK2WXXWNaJfloUxCtNZeOBV/aKNb7N4zROsqAfZgiOJ
4XvnmeAep7f7it5ZUy9+cgpBQrfjRNduOFoAa2m/sqPwLX46dS4FppIK8NnYbkij
4TTJfIdEeCY=
=WSju
-----END PGP SIGNATURE-----