Vulnerability

    HP JetDirect

Affected

    Printers with HP JetDirect Firmware x.08.04, x.08.05, x.08.20

Description

    Following  is  based  on  a  VIGILANTE-2000014  Security Advisory.
    The  firmware   in  the   HP  JetDirect   card  contain   multiple
    vulnerabilities that  can have  effects ranging  from the  service
    crashing to  the printer  initiating a  firmware upgrade  based on
    random garbage in  the memory, and  in the last  case powercycling
    won't fix the crash.  It requires  a new firmware burn by eg.   HP
    to restore the Jetdirect card.

    The  FTP  service,  the  TELNET  service  and  the LPD service all
    contain buffer handling problems.   Furthermore, the JetDirect  IP
    implementation  contains  a  vulnerability  that  will  cause  the
    printer to  crash, if  a certain  malformed packet  is sent to the
    printer.  This packet can be spoofed.

Solution

    The  vendor  was  contacted  on   the  25th  of  August  and   the
    vulnerabilities were  verified by  them on  the 7th  of September.
    The new firmware versions can be retrieved using the following URL

        http://www.hp.com/cposupport/networking/software/allhpjd3.exe.html