-----BEGIN PGP SIGNED MESSAGE----- Penn Security Advisory PSA-96-01 August 7, 1996 Updated September 22, 1998 with new CRC address. Topic: Vulnerability in Hewlett-Packard Jet Direct printer cards ============================================= Acknowledgments: Thank you to SAS Computing for their help in identifying the problems, defining the solutions and reviewing this advisory. Any errors or omissions are mine. Also, thank you to Hewlett Packard for their help. Questions: If you have specific questions about how to configure your printer according to these instructions, please contact ISC First Call at 3-4778 or help@isc.upenn.edu, or you can also stop in the CRC offices at Suite 202, Sansom West (Graduate Tower B), 3650 Chestnut Street. If you have more general questions about this advisory, please contact Information Security at security@isc.upenn.edu. There are several vulnerabilities that allow a remote intruder to re-configure printers equipped with HP Jet Direct Cards. This could allow an intruder to re-route print to another printer, to disable , or to rename the printer. One incident has been reported of several campus printer names being changed. LAN administrators, particularly for those areas of the University involved in printing sensitive information, are strongly encouraged to follow the steps in Section III to determine if their printer is vulnerable, and to take the recommended precautions. Some older HP Jet Direct Cards do not support some of the security features recommended here. HP has a "buy-back" program to credit $150 toward the purchase of a new card when you trade in your old card. Contact the dealer where you purchased the card for details. If any dealers are not familiar with the program, please contact Abe Ahmed in Penn Purchasing (aahmed@pobox.upenn.edu). The recommendations outlined below are based on the best information available at the time. If you are particularly concerned about the security of printers or computers/ networks under your care, contact University of Pennsylvania Information Security (security@isc.upenn.edu). As additional information is received relating to this advisory, it will be placed in: http://www.upenn.edu/security- privacy/advisories/PSA-96.01.README _____________________________________________ I. Description The Hewlett Packard Jet Direct card for network printers allows report routing and printer configuration via a range of networking protocols including TCP/IP, Novell IPX, EtherTalk (AppleTalk over Ethernet), and DLC/LLC. Some printer parameters can be re-configured locally (right at the printer control panel), while some can be configured remotely via a number of utilities. Configurable parameters include the networking protocols supported, the number or copies printed, as well as protocol-specific naming information (i.e. IP address and domain name for TCP/IP; printer name and server name for Novell IPX; and printer name and AppleTalk Zone for EtherTalk. If an intruder is able to re-configure the printer, it is possible that reports could be re-routed to another printer. An intruder can disable the target printer and then configure another printer on the same network with the name of the target printer. The intruder does not need physical access to either printer for this. Any reports sent to the target printer will then be re-routed to the re-configured substitute printer. Some attacks could be carried out from anywhere on campus, while others could only be carried out from within the same subnet, depending on the protocol. It is also possible that a remote intruder could render a printer temporarily inoperable by changing certain configuration options. In some cases, such an attack could originate from anywhere on the Internet. Other types of such attacks could only originate from on campus. Hewlett Packard provides several different utilities for configuring printers equipped with Jet Direct cards, as well as several facilities for restricting local and remote configuration. A. Configuration Tools HP printers can be configured locally using the printer control panel. They can be configured remotely using the Laser Jet Utility for MacIntosh, or using the HP JetAdmin Utility on the following platforms: HP JetAdmin Software for HP-UX 8.x & 9.x HP JetAdmin Software for HP-UX 10.x HP JetAdmin Software for NetWare HP JetAdmin Software for OS/2 HP JetAdmin Software for Solaris 2.1 HP JetAdmin Software for Solaris 2.x HP JetAdmin Software for Sun OS HP JetAdmin Software for Windows for Workgroups HP JetAdmin Software for Windows 95 HP JetAdmin Software for Windows NT (HP reports that IBM offers a JetAdmin utility for AIX). JetDirect cards that support the TCP/IP protocol can also be configured remotely by telnetting directly to the printer. LAN administrators will find that the Mac-based Laser Jet Utility has only limited capabilities for remote printer administration, and will need to use other facilities (i.e. local printer control panel, telnet, JetAdmin) for some tasks such as enabling/disabling protocols, setting telnet passwords, setting peer-to-peer passwords, etc. B. Restricting Configuration HP provides several facilities for restricting printer re- configuration. Two facilities provide restrictions based on associated servers and protocols. Four other facilities provide password-based restrictions. Each password-based restriction is distinct and separate, using its own, unique password. IPX (Novell) Server Restrictions For JetDirect cards supporting IPX, remote configuration can be restricted by associating the print server (the Jet Direct card) with a print queue on a NetWare server. Once this queue has been set, only users logged into that particular server who are "supervisor"-equivalent will be able to modify the Jet Direct card configuration. (NOTE: they must be logged in.) This restriction, however is not absolute. Further restriction using the peer-to-peer password (see below) is necessary. If the peer-to-peer password is not supported on your JetDirect Card, you should consider upgrading your card (see below). TCP/IP Server Restrictions JetDirect cards supporting TCP/IP can be configured with address-based restrictions if the card is configured to get its IP address from a UNIX host via bootp/TFTP. Control Panel Password Restrictions Local re-configuration at the printer control panel can be partially restricted by requiring a password. However, even with a password set at the control panel, the printer can be re-set to factory default configuration settings by a special re-boot. If you are especially concerned about the security of print, then the printer should be located in a physically secure area. Telnet Password Restrictions For Jet Direct-equipped HP printers with the TCP/IP protocol enabled, a password can be set to restrict remote configuration via telnet. Peer-to-peer (Direct Mode) Password Restrictions For newer models of the Jet Direct Card (see Appendix I for details) a "peer-to-peer" password can be set. The peer-to-peer password blocks remote configuration of IPX and TCP/IP-enabled printers via the JetAdmin utility. A "peer-to-peer" password alone is not sufficient, and should be supplemented with the IPX server restrictions outlined above. If your Jet Direct card does not support peer-to-peer passwords, you should consider upgrading. Note: some HP documentation may use the term "direct mode" rather than "peer-to-peer." EtherTalk Password Restrictions The Laser Jet utility for MacIntosh allows the LAN administrator to set a password to restrict reconfiguration via EtherTalk. Each password-based restriction above only protects against re-configuration by the associated utility/protocol. For example, control panel restrictions do not protect against re-configuration by telnet or by Jet Admin, etc., etc. It is important to be sure that for each protocol supported, the associated password is set. At this time, we are aware of no server-based configuration restrictions using AppleTalk-only servers. _____________________________________________ II. Impact For printers with improperly configured Jet Direct cards, remote intruders can change printer names arbitrarily (including IPX names, AppleTalk names and IP address/domain names), re-assign printers to different AppleTalk zones or different Netware servers, change the number of copies printed, and assign their own passwords to printers. Some of these attacks can result in print being rerouted or in the printer being temporarily inoperable. The tools for re-configuring Jet Direct printers (i.e. Laser Jet Utility and JetAdmin Utility) are freely available for downloading over the Internet. U. of P. Information Security is aware of at least one incident in which Jet Direct printers on campus were re- named. _____________________________________________ III. Solution After reviewing the recommendation below, please consult your HP manual for additional information. If you have questions about the instructions outlined below for configuring your Jet Direct-equipped printer, please contact ISC First Call at 3-4778 or help@isc.upenn.edu, or visit the CRC offices on Locust Walk. The first step is to determine if your printer is vulnerable. Next, determine which protocols are enabled on the printer, and disable any protocols not needed. Then, for each protocol that is enabled, it is important to properly set up all facilities for restricting remote configuration. In some cases, it may be necessary to upgrade your Jet Direct card. Finally, take steps to protect against local reconfiguration of your printer. A. Determine if your printer is vulnerable All networked printers using the HP Jet Direct Card are potentially vulnerable. To find out what security capabilities your JetDirect card offers, run a self- test on the printer. The self-test report will show you the printer model (product) number, the firmware revision and the protocols supported. Check Appendix I - a table of HP product numbers and associated security features. If security features (e.g. peer-to-peer and/or telnet passwords, ability to disable protocols, etc.) are not available on your card, you may wish to upgrade to a newer card, or obtain a firmware upgrade, if available. For upgrading cards, HP has a "buy-back" program to credit $150 toward the purchase price of a new card with security features. See Appendix I for details. B. Disable un-needed protocols Some JetDirect cards will support all of the following networking protocols: TCP/IP, Novell IPX, EtherTalk (AppleTalk over Ethernet), and DLC/LLC (used with IBM printing). You should configure your Jet Direct card to support only those protocols needed. Supporting un- needed protocols increases the vulnerability of your printer. However, not all HP JetDirect cards will allow you to disable specific protocols. Some older cards only permit enabling one protocol or all protocols. See Appendix I for details. NOTE: If your are using your JetDirect-equipped printer for FinMis reports, you MUST support the TCP/IP protocol. Use any of the following tools to enable/disable protocols: 1. Using the printer control panel Options vary among HP printers. Consult your HP manual for instructions how to enable/disable protocols from the control panel. Afterwards, be sure to check your work by recycling the printer (turn it off and on) and running the self-test. See your user manual for instructions on how to run a self-test, or follow the menu items on the printer control panel. Review the self-test report to verify your work. 2. Using the Windows Jet Admin Utility (for version 2.x only) a. Launch the utility b. Select the printer (make sure you have the "ALL DEVICES" filter selected) and double-click. c. Select the "JetDirect" tab d. Select the protocol stack button on the left side of the screen. e. De-select any undesired protocols (a check mark means the protocol is selected.) f. Recycle the printer (turn it off, then back on) and run a self-test (See your manual for instructions on how to perform a self-test, or use the printer control panel menus.) Review the printed output from the self-test to verify that you have properly configured the desired protocols. 3. Using the JetAdmin utility for other platforms see your HP manual. The UNIX-based JetAdmin tools can be used to re-set any protocol except TCP/IP. 4. Using telnet access: see your HP manual for details. Note that protocols can not be enabled/disabled using the HP Laser Jet Utility for MacIntosh. When you have finished setting the protocols, always remember to double-check your work by recycling the printer (turn it off, then back on again), and running a self-test. The self-test will produce a report which will confirm the printer configuration. C. Configure the protocols correctly. TCP/IP If TCP/IP is enabled on the Jet Direct card, be sure to set a telnet password. To set a TCP/IP password, follow instructions in your user manual. You may also want to apply host-based restrictions to limit which hosts may connect to the printer via TCP/IP. If you are to do this, the JetDirect card must be configured to get its IP address from a UNIX host via bootp/tftp. In the host's TFTP boot directory (usually /tftpboot) there should be a directory "hpnp" which contains files corresponding to the printer's hostname, suffixed with ".cfg". Adding an "allow: " to this file will restrict the printer to only accept TCP/IP connections from that host. Be aware that access control by host name address only provides a modest level of protection, since names and addresses can be spoofed relatively easily. NOTE: If you use your printer for FinMis reports, before applying any host-based restrictions, contact Steve Fausey (fausey@isc.upenn.edu) to get the right host name(s)/IP address(es), and to make sure that there are no reported problems with using bootp on FinMis printers. IPX It is strongly recommended that all IPX-enabled Jet Direct printers be associated with a Netware server *and* have a peer-to-peer password set. Either restriction, taken by itself, is easily bypassed. To associate the printer with a print queue on a Netware server, use the JetAdmin utility. Windows 95 users may use either JetAdmin version 2.3 or 2.11; Windows 3.1 users need to use version 2.11. For information on using JetAdmin on all other platforms see your HP manual. When using the JetAdmin utility for Windows, some campus LAN administrators have reported that it sometimes is a little slow, and that you have to be a little patient with it before it makes remote printer changes. To associate the printer with a Netware print queue from a Windows 95 machine: 1. Launch JetAdmin (these instructions are for version 2.3) 2. Select the printer (make sure you have the "ALL DEVICES" filter selected.) 3. Go to the "DEVICE" menu and select "MODIFY" (Note: if the device has not already been configured, it will have to be found among the other unconfigured ones by selecting "PRINTER" and the "NEW". You may need to know the printer's MAC (hardware) address to find it in the listing.) For Netware 3: 4. Keep hitting "NEXT" until you see a button that says "BINDERY QUEUES" on the left side of the screen. 5. Select the "BINDERY QUEUES" button 6. Hit "CHANGE" 7. Select the queue to be added on the left side of the screen, and then hit "SERVICE". You may need to create a queue first, in which case you can do that by hitting the "CREATE" button. 8. Hit "OK" , and then continue to "NEXT" until it changes to a "FINISH' button. 9. Hit "FINISH". You're done! For Netware 4: 4. Keep hitting "NEXT" until you see a button that says "NetWare Directory Services" on the left side of the screen. 5. Select the "Netware Directory Services" button. 6. Using the dropdown menu, select the appropriate Tree for your NetWare 4 server. 7. In the "Print Server Context" section, type in the context where you would like your print server queue to reside. (See NetWare manuals for additional help). 8. Hit "OK", and then continue to "NEXT" until it changes to a "FINISH" button. 9. Hit "FINISH". You're done! Note that peer-to-peer passwords are only supported on some JetDirect cards (see Appendix I for details). If your card does not support peer-to-peer passwords, you probably need to upgrade your Jet Direct card. Since Jet Admin version 2.3 for Windows 95 permanently caches peer-to-peer passwords on every machine where the password is entered, you may prefer to set the passwords with JetAdmin 2.11. To set the peer-to-peer password: 1. First, remove the Netware client: -Windows 95 users should go to the "Network Icon" control panel in Windows 95 and, selecting the "Client for Netware" client, hit "REMOVE". Continue to hit "OK" to exit. A dialogue box will ask you to restart. Click on "OK". -Windows 3.x users should edit the batch file which calls your Netware client (either NETX or VLM.) REM that line out. Reboot your machine. 2. Launch the JetAdmin utility 3. Go to the "DETAILS" menu and select "MODIFY" 4. Follow the "NEXT" buttons until you get to "PASSWORD" for the peer-to-peer IPX password 5. Set the password. 6. Re-install your Netware client and reboot. Remember that if you used JetAdmin version 2.3, you will not be prompted for the peer-to-peer password on this machine in the future, so you should only perform this from a trusted machine. The password is permanently cached on every machine where the password is entered, unless you de-install the JetAdmin utility (not recommended). EtherTalk Using the Laser Jet Utility for Macintosh, be sure to set a password to restrict reconfiguration via EtherTalk. When you open the utility, you'll be required to select a zone and a printer name (both of which can be changed). After selecting the desired printer, a selection of buttons will appear on the left side of the screen. If you select "SECURITY" (which has a big key on it), you can set a password. This password will only protect you from re- configuration via EtherTalk. If your printer supports other protocols, be sure to set the associated passwords. DLC/LLC DLC/LLC is a networking protocol used by Windows NT, IBM LAN Server, Microsoft LAN Manager. It is the beyond the scope of this advisory. D. Protecting against local reconfiguration See your HP manual for instructions on how to set a password to restrict local configuration. Also, be aware that control panel passwords can be bypassed by anyone with physical access to the printer. If the printer is used for sensitive matters, it should be kept in a physically secure area. _____________________________________________ Additional Notes: 1. There have been reports that when Jet Direct-enabled printers are rebooted with a cold reset, they may come up with a re-assigned IP address. This may be caused by either bootp or DHCP running on the subnet. If you notice the IP address of your printer changing inexplicably, this may account for it. 2. There are reports of the possibility of printers being remotely re-configured using with malicious postscript print jobs. This problem is beyond the scope of this advisory. Additional information will be issued in the next few days. If you do not require postscript printing on your printer, and it allows you to disable postscript, you may want to do so. _____________________________________________ Appendix I - HP Product #/Firmware Revision/Features Here are HP's JetDirect Card model numbers, the associated latest firmware Revision number, an indication of whether advanced security features are available on the card, and some related notes. You can check your Jet Direct Product number and firmware revision by running a self-test on the printer. "Advanced Security" features (HP's term) refers to the ability to set passwords restricting access via telnet and via the JetAdmin tools. If your card's product number does not match this list, the card probably does not support advanced security features. If you need security features, you would need to purchase a new card. HP has a "buy-back" program for upgrading Jet Direct Cards where they will give a $150 credit when you trade in an older card without security features for a newer card with security features. In some cases (see notes below) you may also have the option of upgrading your existing card with a flash-SIMM, which should run you about $80. The buy-back program, however, only applies to the purchase of entirely new cards, not to the purchase of flash-SIMM upgrades. In any case, if you plan to upgrade your card, make sure that your printer will also support the advanced security features. You don't want to buy a new card only to find out the your older printer doesn't support the features (see notes below). Product Current Firmware Advanced Security? J2550A A.04.09 Yes See Note 1 J2552A A.04.09 Yes See Note 1 J2555A A.04.09 Yes See Note 1 J2593A D.04.20 Yes See Note 2 J2594A D.04.20 Yes See Note 2 J2591A E.04.20 Yes See Note 2 J2371A C.03.16 Yes See Note3 J2372A C.03.16 Yes See Note3 J2373A C.03.16 Yes See Note3 J2382B B.03.16 Yes See Note 4 J2383B B.03.16 Yes See Note 4 C2059 ??????? No See Note 5 C2071 ??????? No See Note 5 Note 1: These cards support advanced security features. Multiple protocols are supported, and protocols can be individually enabled/disabled if used with newer HP printers (LaserJet 4+, LaserJet5, etc.). If used with older HP printers (LaserJet4, LaserJet3si, DeskJet 1200C, PaintJetXL300, etc.), individual protocols can not be separately enabled/disabled; the only options are one protocol or all protocols. Note 2: These cards support advanced security features. Multiple protocols are supported, and protocols can be individually enabled/disabled as needed. Note 3: These cards will support "advanced security" if upgraded to the latest version of firmware with a flash SIMM. With the upgrade, multiple protocols are supported, and protocols can be individually enabled/disabled if used with newer HP printers (LaserJet 4+, LaserJet5, etc.). If used with older HP printers (LaserJet4, LaserJet3si, DeskJet 1200C, PaintJetXL300, etc.), individual protocols can not be separately enabled/disabled; the only options are one protocol or all protocols. For the flash-SIMM upgrade, order HP part number J2546B. Alternatively, you can buy a new card and get a $150 credit through the "buy-back" program. Note 4: These cards will support "advanced security" if upgraded to the latest version of firmware with a flash SIMM. With the upgrade, multiple protocols are supported, and protocols can be individually enabled/disabled. For the flash-SIMM upgrade, order HP part number J2547B. Alternatively, you can buy a new card and get a $150 credit through the "buy-back" program. Note 5: These cards do not support "advanced security", and can not be upgraded with a flash SIMM. You must buy a new card to get "advanced security" (and you should be able to get a $150 credit through the buy-back program). -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQBVAwUBNgelBobJXcKNQ6lZAQHd6gIAhoXsh/xzNKGCHWmYLBziRhT2UGIH0d/O FdDr/Y49tDOmGbsgwoBoOF8NunfN9B+fkUbfXoIXkqTHUurIUBoQmg== =2NwL -----END PGP SIGNATURE-----