Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day - Protecting HP JetDirect-based Printers

Published: 2006-08-29
Last Updated: 2006-08-30 21:24:43 UTC
by Scott Fendley (Version: 1)
0 comment(s)

HP JetDirect based printers are extremely popular in academia and elsewhere around the Internet.  As such, they need to be protected from malicious use as we do with the general computers and other network devices on our networks. 

Note: the concepts presented in this Tip of the Day may be used in other network printers, though I haven't messed with other varieties enough to know the details.

My first suggestion is to firewall off printers from Internet access.  Force connections to the printer originate from your locally managed network, or through a VPN authenticated computer residing elsewhere.

Unfortunately in academia, we rarely know the IP address of every network printer on our network. And I would suspect that in the corporate world that this can be true without very strictly enforced policies. Even if you know every printer and its IP on your network today, tomorrow it could be different after someone brings a new super fast, color, duplexing, with mailbox output tray, hard drive, extra fonts, bluetooth, infrared, firewire, usb, network, mp3 playing, digitial media card reading, all-in-one, scanning, faxing, washing-the-dishes-in-the-kitchen-sink printer and installed it without your knowledge or approval.

Here you are left with a few choices.
  1. Use a tool like nmap or nessus to scan for a few choice tcp or udp ports on printers and do some type of version or OS detect on the results. (Some of the ports to look for are 21, 23, 80,280,515,631 and 9100 tcp.)
  2. ARP walk your routers/switches looking for the MAC addresses of the HP JetDirect or other printerss.
  3. The DHCP Method.
The first 2 are time consuming and will have to be repeated often to keep track of newly discovered.

So,what is the DHCP Method?!?

HP devices with JetDirect cards have a vendor class identifier which reports to the DHCP server that they are 'Hewlett-Packard JetDirect' cards.  You should be able to log this on your DHCP server and use it for custom applications.  OR you can use this identifier to pad on some DHCP options which tells the printer to download a tftp file from a local tftp server which has a host.allow line to only accept connection from your institution's IP
range.  Since all HP printers DHCP by default(as in factory defaults) you have a catch-all mechanism in case the printer is reset to factory defaults and fail to reset the passwords or if users put new printers on
the network without you noticing or approving.

Using this same method using MAC address lists you can build a set of known special printers (such as the one used by your CEO, Chancellor, President, VIP) and should only be allowed from certain computers/servers.
These use separate config file with other additional options.  In addition to setting authorized IPs one can also disable features such as the appletalk, and IPX protocols which are unnecessary in your environment.  You can also set items like contact name, location, syslog server and the like. However you should be careful to make sure that all of the configuration features you are enabling/disabling is supported by a particular HP JetDirect model.

A sample config file for this with a little more information is located here:
http://www.lprng.com/LPRng-HOWTO-Multipart/x5171.htm

Last but not least, VLAN all of the printers into a printer virtual network.  This may make it easier for you to do maintenance tasks on them, check versions of the JetDirect Cards and the like if they are all in one virtual area.  I am sure there are other reasons that you could/should vlan them together, but I will leave that to your imagination.

If you have other HP JetDirect security resources, please share and I will update the diary later tonight/tomorrow with those links.

Update 1:

Overnight we have had a number of very useful links to add to the tip of the day.  Thanks to Jerry, Charlie,  Jack, Kahlib and others that shared more useful information.

HP Technical Document on Securing Jetdirect systems
HP Security Briefing on Jetdirect
HP JetAdmin Tool
HP Web JetAdmin Software

It is highly recommended that users update the firmware on the specific models of Jetdirect.  This will help the security posture some, and in some cases protect your nmap scan, or the newest lpr based worm causing the printer to output reams garbage.






---
Scott Fendley
Handler On Duty


Keywords: ToD
0 comment(s)

Ernesto domain name registrations up

Published: 2006-08-29
Last Updated: 2006-08-29 22:48:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Today we noted a spike in registrations of domains with the term "Ernesto". No surprise given the approaching hurricane by that name. Today, 19 new "Ernesto" domains became live. One of them is just the name of a person and not hurricane related. The other 18 are hurricane related. 17 of these domains are registered by one person.

Today's Names:
cnnernesto(.com)|(.net)
ernestodamage(.com)|(.net)
ernestohurrican(.com)|(.net)
ernestoinsurance(.com)|(.net)
ernestomoney(.com)|(.net)
ernestonews(.com)|(.net)
ernestopipeline(.com)|(.net)
ernestovideo(.com)|(.net)
ernestoweather(.com)|(.net)
thehurricaneernesto.com

Last year, we had a big number of fraudulent sites asking for donations for Katrina victims. We are afraid that similar issues may arise this year. At this point, the domain names listed above are parked. We will keep an eye on them. Let us know if you find any donation-fraud sites.

Graph of "Ernesto" domain registrations:
graph
(click for full size)

Update:

The person who registered most of these domains wrote to say this:
Tell me why I deserve this, or at least help me recover as I have spent hours, barely slept in order to get good news about that situation. I lived on the Gulf Coast, my grandfather's mosoleum was destroyed by Katrina, as well as his house and many family and friends homes and properties.

Yes, I have other domains for sale. This is America, this is capitalism. People buy real estate often with the intent of bettering it and selling it. I own CNNErnesto.com, b/c this is obviously a company that can cover this better than me.

Please, it is really painful to deal with this situation when all I could be putting up valuable information. Annd then, using money earned to build a nice company that will be very beneficial to a lot of people (TheWorldPipeline.com).

Keywords:
0 comment(s)

Sendmail DoS Vulnerability

Published: 2006-08-29
Last Updated: 2006-08-29 20:45:42 UTC
by Scott Fendley (Version: 2)
0 comment(s)
For some of the Unix types out there, this may be old news by now.  However, we do have a couple of reports in the mailbag about the Sendmail Denial of Service issue. 

On August 9, 2006, Sendmail.org released version 8.13.8 which addressed a few bugs that were discovered in 8.13.7, and fixed a few other bugs.  One particular bug fixes an issue where sendmail would crash due to referencing a variable that had be freed.  This flaw can be exploited by crafting a message which very long header lines. I did not see much media attention to this when it was released (in fact I personally missed the note that it had updated). However in the past 24 hours a number of organizations have now posted information about it.  ( Oh well, looks like I wasn't the only one that missed it at the time.  And I don't think I can necessarily blame it on the students returning to my campus. ;-)  )

As this appears to just be a DoS issue, it is our recommendation that if you are using Sendmail based products, please upgrade to 8.13.8 available at Sendmail.org, or contact your vendor for appropriate updates.  Also, make sure you are on the appropriate announcement list for any software vendors that you use.  Sometimes little security issues can get past even the best of us if we don't visit the local CVS repository, or website on a daily/weekly basis.

I am looking around for appropriate Snort Rules that might detect for this


For More Information:
http://secunia.com/advisories/21637/
http://www.openbsd.org/errata.html (August 25 sendmail patch)
http://www.osvdb.org/displayvuln.php?osvdb_id=28193
http://www.frsirt.com/english/advisories/2006/3393



---
Scott Fendley
ISC Handler On Duty
Keywords:
0 comment(s)
Diary Archives