hp-jetdirect-DoS.txt

`Date: Fri, 11 Dec 1998 10:46:36 -0500 (EST)  
From: X-Force <[email protected]>  
To: [email protected]  
Cc: X-Force <[email protected]>  
Subject: ISSalert: ISS Security Advisory: HP JetDirect TCP/IP problems  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Security Advisory  
December 10, 1998  
  
HP JetDirect TCP/IP problems  
  
  
Synopsis:  
  
This advisory covers a number of miscellaneous issues regarding HP  
JetDirect printer interface cards and print servers of various vintage. HP  
has addressed many of these issues in newer JetDirect print server  
products (Fall 98). More information about newer products and upgrades  
are available from HP contact representatives.  
  
Older TCP/IP implementations on HP JetDirect cards and servers are   
vulnerable to a wide variety of Denial of Service (DoS) attacks which   
subsequently require power cycling the server or the printer to recover.  
Most of these sundry problems have been discussed on the BugTraq mailing  
list, [email protected]. Most point up a particularly fragile TCP/IP  
implementation subject to race conditions and poor error recovery.  
  
Older JetDirect servers and cards attempt to emulate an lpd style printing  
system. This emulation suffers from several limitations which may or may  
not relate to the TCP/IP vulnerabilities.  
  
Because of the single-threaded nature of the older JetDirect interface,  
whenever one of the JetDirect access ports is occupied, the other ports  
are unavailable. The consequence is that the older JetDirect cannot truly  
emulate the spooler characteristics. When the older JetDirect is  
receiving lpd data, it is unavailable to lpq/lpstat queries. If anything  
goes wrong in this single-threaded interface, all access can be denied to  
the printer.  
  
Newer JetDirect interfaces feature a web interface for configuration,   
access, and control. Because the interface does not use SSL encryption,   
the potential exists for exposing sensitive information such as   
administrative passwords and configuration information to sniffing   
attacks.  
  
  
Recommendations:  
  
HP has newer versions of the JetDirect print server products available  
which fix most of the problems associated with the older interfaces and  
print servers. If an upgrade is available, the JetDirect card or  
firmware should be upgraded. Contact HP for more information concerning  
upgrade or replacement availability.  
  
For those products for which an upgrade or replacement is not readily  
available, it may be possible to tolerate or compensate for these  
problems when recognized.  
  
If possible, limit all access to the JetDirect interface to the absolute  
minimum required. Do not allow access to older JetDirect cards from  
outside of areas not under reasonable supervision or control. While  
blocking access from outside networks might be a minimum consideration,  
some internal controls to limit "practical jokes" would also be advisable.  
  
With the reasonable cost of PCs, it may be more cost effective to replace  
older JetDirect servers with tiny PC systems with full spooler   
functionality and a more robust TCP/IP implementation.  
  
Another option could be to hide older JetDirect cards or servers behind  
other systems with spoolers and strictly limit JetDirect card access to  
designated spooling systems. Then force all other users to work through  
the designated spooler systems. This may be a viable alternative where  
spooler systems already exist on the network with the older JetDirect  
cards.  
  
Access to the web interface of the newer JetDirect cards should be  
limited, and access from outside of controlled networks should be   
restricted. While there are no specific vulnerabilities known in the  
JetDirect web servers at this time, unrestricted access could result in  
the leakage of sensitive configuration information about the printer.  
Passwords and community string names should be different from any other  
passwords or devices to protect other network facilities from inadvertent  
leakage of printer information.  
  
  
Detailed Specific Problems:  
  
Older HP JetDirect cards and servers of various revisions have been  
demonstrated to fail under the following attacks:  
  
  
HP Display Hack (from [email protected]):  
  
The HP Display Hack from L0pht allows someone to print arbitrary messages  
of up to 16 characters on HP printers with LCD panels. When used just  
prior to one of the DoS attacks below, it's possible for an attacker to  
perform "social engineering" attacks where they post something like a  
telephone number (toll) on the display panel and then kill the interface.  
Some users could be tricked into placing expensive calls thinking they  
were calling for service as instructed by the printer. This vulnerability  
and the exploit code has been posted to the BugTraq mailing list.  
  
This is a feature of the printer control language and is present in newer  
versions of the JetDirect interfaces.  
  
  
Syn "Dripping":  
  
Even though the JetDirect cards are not subject to syn flooding per se,  
due to the single threaded TCP/IP stack, even a single SYN packet can  
lock up the older interface for a significant period of time (tens of  
seconds to as much as a minute). Thus the printer can be subjected to a  
denial of service attack by slowly dripping SYN packets with non-  
responding "from" addresses directed to the older JetDirect interface. If  
this is directed at more than one of the JetDirect ports, the interface  
may lock up, as in the repeated rapid port scanning DoS described below.  
  
This problem was uncovered at Internet Security Systems during the  
analysis of other JetDirect problems.  
  
Newer multi-threaded versions of the JetDirect interfaces are not  
vulnerable to this problem.  
  
  
Repeated rapid port scanning:  
  
Some scanning tools use parallel port scanning to improve scanning speed.  
Parallel scanning of multiple ports on the older JetDirect cards has a  
high probability of causing a complete lockup of the JetDirect network  
interface. The fact that the DoS is not deterministic, and the failure  
rate is highly dependent on the timing and speed of the scan, indicates  
that this is a timing window or race condition in the TCP/IP stack on the  
older JetDirect.  
  
Rapidly scanning ports 9099 and 9100 can very quickly cause this failure,  
and scanning 9099 and 9100 from a low order port such as port 20 (ftp  
data) could slip past some filtering firewalls.  
  
This lockup is not accompanied by any particular LCD panel display,   
permitting it to be used in combination with the HP Display Hack described  
above.  
  
This problem was uncovered at Internet Security Systems during routine  
product testing.  
  
This problem may still be present, but much more difficult to exploit, in  
newer versions of the JetDirect interfaces and newer JetDirect print  
servers.  
  
  
Land:  
  
Land is a spoofed attack where a connection appears to be addressed to an  
address:port combination from that same address:port combination. This  
attack causes some TCP/IP stacks to lock dead. The older JetDirect TCP  
protocol stack is vulnerable to land attacks. This attack can be blocked  
>from the outside by any reasonable anti-spoofing filters on firewalls or  
routers. This lockup is not accompanied by any particular LCD panel  
display, permitting it to be used in combination with the HP Display Hack  
above. This vulnerability has been discussed on the BugTraq mailing list.  
  
This problem is not present in newer versions of the JetDirect interfaces.  
  
  
Nestea / Nestea2:  
  
Nestea is a variation of the TearDrop-style fragmentation attacks. By  
mishandling peculiar fragmentation reassemblies, certain TCP/IP stacks  
will fail. Older JetDirect cards are vulnerable to this style of attack.  
Printers with LCD displays may display a service error code. This attack  
can be blocked from the outside by any device which does full packet  
reassembly, such as a proxy-style firewall or a router with packet  
reassembly.  
  
Because this problem generally results in a service or error code   
displayed on the LCD panel, it is less likely to be used in conjunction   
with the HP Display Hack described above. This vulnerability has been  
discussed on the BugTraq mailing list.  
  
This problem is not present in newer versions of the JetDirect interfaces.  
  
  
SNMP:  
  
The default SNMP community names on the older JetDirect cards and servers  
allow for very rapid identification of vulnerable printers which may be  
subjected to these various attacks. The community names on the JetDirect  
cards should be changed.  
  
On some older versions of the JetDirect interfaces, changing the SNMP  
community names added the new community names, but the interface would  
still respond to the old community name. While SNMP community names  
should not be considered secure, these older cards may give a false sense  
of protection or behavior.  
  
The problem with not being able to disable the older community name is not  
present in newer versions of the JetDirect interfaces.  
  
  
Additional Information:  
  
This vulnerability was primarily researched by Michael H. Warfield of the  
ISS X-Force. Our appreciation to the individuals at Hewlett Packard who  
assisted us in evaluating these problems and the current state of the  
JetDirect interface.  
  
________  
  
Copyright (c) 1998 by Internet Security Systems, Inc.  
  
Permission is hereby granted for the redistribution of this Alert Summary  
electronically. It is not to be edited in any way without express consent  
of X-Force. If you wish to reprint the whole or any part of this Alert  
Summary in any other medium excluding electronic medium, please email  
[email protected] for permission.  
  
Disclaimer  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in   
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html  
as well as on MIT's PGP key server and PGP.com's key server.  
  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
  
Please send suggestions, updates, and comments to: X-Force  
<[email protected]> of Internet Security Systems, Inc.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBNnE1zDRfJiV99eG9AQG8/gP+KcbZ9pxlqe7LTohBbn/brLRwLt4Mmlmy  
8/0ilu9nD9lFZXieuQh4ZjK2WXXWNaJfloUxCtNZeOBV/aKNb7N4zROsqAfZgiOJ  
4XvnmeAep7f7it5ZUy9+cgpBQrfjRNduOFoAa2m/sqPwLX46dS4FppIK8NnYbkij  
4TTJfIdEeCY=  
=WSju  
-----END PGP SIGNATURE-----  
  
`