|
Vulnerability TCP/IP Affected HP DirectJet Description This problem is based on ISS Security Advisory. Even though the JetDirect cards are not subject to syn flooding per se, due to the single threaded TCP/IP stack, even a single SYN packet can lock up the older interface for a significant period of time (tens of seconds to as much as a minute). Thus the printer can be subjected to a denial of service attack by slowly dripping SYN packets with non- responding "from" addresses directed to the older JetDirect interface. If this is directed at more than one of the JetDirect ports, the interface may lock up, as in the repeated rapid port scanning DoS described below. Some scanning tools use parallel port scanning to improve scanning speed. Parallel scanning of multiple ports on the older JetDirect cards has a high probability of causing a complete lockup of the JetDirect network interface. The fact that the DoS is not deterministic, and the failure rate is highly dependent on the timing and speed of the scan, indicates that this is a timing window or race condition in the TCP/IP stack on the older JetDirect. Rapidly scanning ports 9099 and 9100 can very quickly cause this failure, and scanning 9099 and 9100 from a low order port such as port 20 (ftp data) could slip past some filtering firewalls. The default SNMP community names on the older JetDirect cards and servers allow for very rapid identification of vulnerable printers which may be subjected to these various attacks. The community names on the JetDirect cards should be changed. On some older versions of the JetDirect interfaces, changing the SNMP community names added the new community names, but the interface would still respond to the old community name. While SNMP community names should not be considered secure, these older cards may give a false sense of protection or behavior. Solution As for flooding, newer multi-threaded versions of the JetDirect interfaces are not vulnerable to this problem. As for scanning problem may still be present, but much more difficult to exploit, in newer versions of the JetDirect interfaces and newer JetDirect print servers. As for SNMP problem with not being able to disable the older community name is not present in newer versions of the JetDirect interfaces.