Hewlett Packard JetDirect-enabled printers disclose Telnet/HTTP passwords in hex format via "SNMP READ" request

2002-09-1600:00:00

www.kb.cert.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.08

Percentile

94.3%

JSON

Overview

Hewlett Packard (HP) printers store sensitive administrative account information in a variable that is served to any user that makes a certain SNMP request.

Description

HP JetDirect-enabled printers are configurable via HTTP and Telnet and accept SNMP requests. These printers store the administrative account password in an SNMP variable that can be read by any remote user that knows the address of the printer and the location of the variable. The location of the variable is unchanging.

Impact

Attackers can obtain sensitive information and gain unauthorized access to the printer.

Solution

Apply a patch

Update to firmware version X.22.09 or later.

Vendor Information

377003

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Hewlett-Packard Company __ Affected

Notified: July 15, 2002 Updated: August 06, 2002

Status

Affected

Vendor Statement

Update to firmware version X.22.09 or later.

For more information please refer to:

HP Jetdirect Print Servers - Making HP Jetdirect Print Servers Secure on the Network
<http://www.hp.com/cposupport/networking/support_doc/bpj05999.html#P26_2431>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23377003 Feedback>).