HP OfficeJet Printer Security Bypass (HPSBPI03107)

2014-10-09T00:00:00
ID HP_OFFICEJET_HPSBPI03107.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-02T00:00:00

Description

The remote HP OfficeJet printer is affected by a security bypass vulnerability. The included OpenSSL library has a security bypass flaw in the handshake process. By using a specially crafted handshake, a remote attacker can force the use of weak keying material. This could be leveraged for a man-in-the-middle attack.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(78111);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2014-0224");
  script_bugtraq_id(67899);
  script_xref(name:"CERT", value:"978508");
  script_xref(name:"HP", value:"emr_na-c04451722");
  script_xref(name:"HP", value:"HPSBPI03107");

  script_name(english:"HP OfficeJet Printer Security Bypass (HPSBPI03107)");
  script_summary(english:"Checks the model/firmware of HP OfficeJet printer.");

  script_set_attribute(attribute:"synopsis", value:
"The remote HP OfficeJet printer is affected by a security bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote HP OfficeJet printer is affected by a security bypass
vulnerability. The included OpenSSL library has a security bypass flaw
in the handshake process. By using a specially crafted handshake, a
remote attacker can force the use of weak keying material. This could
be leveraged for a man-in-the-middle attack.");
  # https://h20566.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04451722
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ec99199");
  script_set_attribute(attribute:"solution", value:
"HP has released firmware updates for the affected products.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0224");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:hp:officejet");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_officejet_web_detect.nbin");
  script_require_keys("hp/officejet/detected");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

##
# Strictly checks the firmware versions.
#
# @param  string  Host firmware version
# @param  string  Fixed firmware version
#
# @return -1 if host firmware < fixed firmware
#          0 if host firmware = fixed firmware
#          1 if host firmware > fixed firmware
##
function check_firmware(ver, fix)
{
  local_var vlen, flen, vfield, ffield, i;

  ver = split(ver, sep:'_', keep:FALSE);
  fix = split(fix, sep:'_', keep:FALSE);

  vlen = max_index(ver);
  flen = max_index(fix);
  if (vlen != flen)
    return 0;

  for (i = 0; i < vlen || i < flen; i++)
  {
    vfield = int(ver[i]);
    ffield = int(fix[i]);

    if (vfield < ffield)
      return -1;

    if (vfield > ffield)
      return 1;
  }

  return 0;
}

##
#
# Script starts here.
#
##
get_kb_item_or_exit("hp/officejet/detected");

printer_kbs = get_kb_list_or_exit("hp/officejet/*/model");
ports = make_list();

foreach printer_kb (keys(printer_kbs))
{
  matches = eregmatch(string:printer_kb, pattern:"hp/officejet/([0-9]+)/model");
  if (isnull(matches) || isnull(matches[1]))
    continue;
  port = int(matches[1]);
  ports = make_list(ports, port);
}

# empty list of ports
if (isnull(keys(ports)))
  audit(AUDIT_HOST_NOT, "HP OfficeJet Printer");

ports = list_uniq(ports);

port = branch(ports);

kb_base = "hp/officejet/" + port + "/";

product = get_kb_item_or_exit(kb_base + "product");
model = get_kb_item_or_exit(kb_base + "model");
firmware = get_kb_item_or_exit(kb_base + "firmware");

# from the HP advisory
if (model == "B5L04A" ||
    model == "B5L05A" ||
    model == "B5L07A")
  fixed_firmware = "2302963_436066";
else if (model == "C2S11A" ||
         model == "C2S12A")
  fixed_firmware = "2302963_436074";
else
  exit(0, "The " + product + " " + model + " listening on port " + port + " is not affected.");

if(!egrep(pattern:"^[0-9]+_[0-9]+", string:firmware))
  exit(0, "The " + product + " " + model + " running firmware " + firmware + " listening on port " + port + " does not have the expected firmware format.");

if (check_firmware(ver:firmware, fix:fixed_firmware) >= 0)
  exit(0, "The " + product + " " + model + " running firmware " + firmware + " listening on port " + port + " is not affected.");

if (report_verbosity > 0)
{
  report =
    '\n  Printer            : ' + product +
    '\n  Model              : ' + model +
    '\n  Installed firmware : ' + firmware +
    '\n  Fixed firmware     : ' + fixed_firmware +
    '\n';
  security_warning(extra:report, port:port);
}
else security_warning(port);