Friday, April 15, 2011

HP disclosed but didn't fix printer security holes

HP released a bulletin covering CVE-2011-1531, CVE-2011-1532, and CVE-2011-1533 on April 12 that acknowledges these security issues I reported to them exist, but will not be providing a patch to address them.  Instead, they have provided some recommendations and workarounds.

Some of the recommendations are not very practical in real life, such as avoiding XSS by "Exposure can be reduced by avoiding untrusted URLs".  This is not because they didn't understand the problem, but because there was nothing much else to say when they weren't going to fix the issue.  

The main issue that I was hoping they would fix is an XSS in the embedded web server of the printer.  By default, the printer is not protected by a password, and that could result in a malicious website being able to explore your printer/network settings or reconfigure it in various ways.  The XSS is reflective and I imagine it is not that uncommon for printers to have DNS within the company domain, allowing it to be used to steal/set cookies, pivot into your network to access private data, and all the other run of the mill nasties that you could do with malicious Javascript on an internal network.

HP's advisory is here:

There's more than one place to XSS this but I like the error page of the printer because it is accessible even with authentication enabled.  You can trigger it with a POST to refresh.htm, which will result in unescaped output provided to it in the "refresh_rate" variable.

I appreciate that HP took the time to disclose the bugs, but it makes me wonder what my expectations should be for them to fix any other HP products.  Perhaps XSS is just below their threshold, or maybe they think printers are not worth fixing.  It's hard to tell what they would care enough to patch.