-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Intelligent Peripherals Create Security Risk
December 8, 1998 17:00 GMT Number J-019
______________________________________________________________________________
PROBLEM: Improper installation of intelligent peripherals may cause the
machines to be compromised.
PLATFORM: All intelligent peripherals connected to the Internet requiring
an IP address that have the capability of storing images in
memory and/or onto an internal hard drive. Some of these
systems have the capability of running inet daemons such as
ftp, telnet, and others.
DAMAGE: By exploiting the non-passworded accounts, remote users may
gain access to the system and jeopardize sensitive information.
SOLUTION: Follow the manufacture's installation instructions and password
all default accounts. CIAC recommends that all unneeded daemons
be turned off.
______________________________________________________________________________
VULNERABILITY Risk is high. CIAC has received reports of intelligent
ASSESSMENT: peripherals such as printers, being compromised by intruders
and print jobs being redirected to other machines. Sensitive
information was potentially compromised.
ATTENTION: Please pass this information to all administrators
who use printers, copiers, faxes, and scanners connected to a
network.
______________________________________________________________________________
CIAC is aware of security risks associated with intelligent peripherals.
Although these devices do not 'look like' computers, they actually have the
internal components of one. In fact, some printers utilize a SPARC CPU board
that runs the Solaris UNIX operating system. Xerox has a sophisticated
device that allows users to copy, fax, scan, and print documents. This device
utilizes a network UNIX hard disk that conforms to the UNIX standard for file
directories and hence it has the capability of storing images in memory. For
this device, Xerox recommends that the user network information be secure.
This information includes network ID’s, network passwords, network file
locations, user network names, and user passwords.
In most cases, the more complex the functionality the device features, the
higher the security risks. However, with proper installation and
configuration the risks are reduced. Throughout the past year CIAC has
received reports of peripherals, mostly printers that were compromised. The
following examples, regardless of the device type and manufacture, indicate
the importance of properly installing these devices to the network.
Codonics NP-1600 Printer
In March, CIAC was notified of a Codonics NP-1600 printer being compromised.
The printer utilizes a SPARC CPU board and runs the Solaris UNIX operating
system. This implies that the printer may have user accounts, as well as
daemons running, that may be used to compromise the device. The printer is
released from the manufacture with default accounts without passwords (null
accounts). However, the manufacture gives instructions and guidance on how to
install and configure the printers, as well as warning individuals to password
the root account. The printer has inet and rpc daemons running by default.
Some of these daemons are needed; however, CIAC recommends that all unneeded
daemons be turned off. After receiving this information, CIAC scanned a
Codonics printer to gather all the information about the services allowed.
According to the system administrator, the printer was configured per the
instructions issued by the manufacture. The results of the scan found the
printer to be vulnerable only to Denial of Service (DOS) attacks.
Listed below are the daemons running by default on a Codonics NP-1600 printer.
inet daemons:
port type and status
7 (echo) is running.
9 (discard) is running.
13 (daytime) is running.
19 (chargen) is running.
21 (ftp) is running.
23 (telnet) is running.
37 (time) is running.
79 (finger) is running.
111 (sunrpc) is running.
512 (exec) is running.
513 (login) is running.
514 (shell) is running.
515 (printer) is running.
540 (uucp) is running.
741 (UNKNOWN) is running.
rpc daemons:
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100087 10 udp 32772
100011 1 udp 32773 rquotad
100002 2 udp 32774 rusersd
100002 3 udp 32774 rusersd
100012 1 udp 32775 sprayd
100008 1 udp 32776 walld
100001 2 udp 32777 rstatd
100001 3 udp 32777 rstatd
100001 4 udp 32777 rstatd
100068 2 udp 32778
100068 3 udp 32778
100068 4 udp 32778
100083 1 tcp 32771
200 1 udp 740
200 1 tcp 741
HP Jet Direct Printer
In September, CIAC received information of a HP Jet Direct printer being
hijacked by a foreign hacker. All print jobs sent to the printer were
actually sent to the print server in the foreign country. An intruder can
redirect all print jobs by becoming the print server using the mscan tool
against an unprotected printer. There are two passwords that need to be set
to protect the printer. To prevent this type of activity, use the HP Jet
Admin Utility to password protect the device. If your printer appears to be
operational but is not printing, view the status of the printer using the HP
Jet Admin Utility. To check the status of the printer, do the following:
1) Select 'Device'
2) Select 'Properties'
3) Select 'Diagnostics' tab
4) Click on 'TCP/IP'
5) Click on 'General'
At this level, the 'Server Address' is visible. The IP address display should
be from the machine you are connecting from. Check to ensure it’s the correct
machine address. If not, you may kill the active connection and enable the
queue using HP Jet Admin Utility. This will return control of the printer to
your local network and the print jobs already queued should print.
Scanning returns Interesting Results
While scanning a subnet recently, the scanner was unable to identify some of
the machines associated with a series of IP addresses. However the scanner
did list the services allow by each machine. Upon farther investigation, CIAC
determined these IP addresses were assigned to printers. The following ports
and services were allowed by one of the printers:
23 telnet
80 httpd
515 printer
161 snmp server
An individual could use the telnet protocol to login and since the password
capability was disabled thus allowing free access to the printer and its
telnet configuration setup. Below is a sample of a JetDirect printer telnet
configuration setup:
Firmware Rev.: G.07.03
MAC Address: XX:XX:XX:XX:XX:XX (remove to preserve the identity)
Config By: USER SPECIFIED
IP Address: XXX.XXX.XXX.XX (remove to preserve the identity)
Subnet Mask: 255.255.255.0
Default Gateway: XXX.XXX.XXX.XXX (remove to preserve the identity)
Syslog Server: Not Specified
Idle Timeout: 120 Seconds
Set Cmnty Name: Not Specified
Host Name: Not Specified
DHCP Config: Disabled
Passwd: Disabled
IPX/SPX: Enabled
DLC/LLC: Enabled
Ethertalk: Enabled
Banner page: Enabled
CIAC highly recommends that printers with this type of capability enable
password protection and turn-off all unneeded services. In most cases ftp,
telnet, and httpd are rarely needed for printers.
Conclusion
Today, printers and copiers are more complex and with this complexity comes
security risks. Non-passworded default accounts are a major security risk
regardless of the operating system and the platforms used. Allowing access to
an unprotected device may lead to other devices being compromised. To tighten
down your systems, make sure all accounts have passwords and that all unneeded
daemons are turned off. Follow the installation instructions provided by the
manufacture. If the instructions are not clear, call the manufacture and ask
for assistance. Remember hijacking print jobs may jeopardize confidentiality.
To check for non-password accounts use Security Profile Inspector for Networks
(SPI-NET) or Computer Oracle and Password System (COPS).
To download:
SPI-NET
http://ciac.llnl.gov/cstc/spi/spinet.html
COPS
ftp://coast.cs.purdue.edu/pub/tools/unix/cops-perl.tar.gz
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-009: Cisco IOS Command History Release at Login Prompt
J-010: SGI Buffer Overflow Vulnerabilities ( xterm(1), Xaw library)
J-011: Microsoft IE 4.01 Untrusted Scripted Paste (Cuartango Vul.)
J-012: SGI IRIX routed(1M) Vulnerability
J-013: SGI IRIX autofsd Vulnerability
J-014: IBM AIX automountd Vulnerability
J-015: HP SharedX Denial-of-Service Vulnerability
J-016: Cisco IOS DFS Access List Leakage Vulnerabilities
J-017: HP-UX vacation Security Vulnerability
J-018: HTML Viruses
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNm21wrnzJzdsy3QZAQG1yAP/UUXsc4fHhJjIDT1i6D2p7QXTnuGWfZIO
WJ8UtiFu2O6nRLXsO/aLxB3rpPkIyhckeSNcsY4nHTDadtxU+jKPGsI34C60dBVW
EAgcL/j3yWfJh+J6MAk2C+Hom2954AywMVa8LZh2Rs+7vn1jMsz5SSST/+SXU+jp
jVAGG1G8tw8=
=aIiC
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
