The US Computer Emergency Response Team (CERT) has issued an intriguing Vulnerability Note to do with a data and password leakage flaw in a number of HP printers.
The note is intriguing because it’s a bit of a trip down memory lane, whisking us all the way back to one of the bugs exploited by Robert Morris’s infamous Internet Worm – the Great Worm, as I’ve even heard it called.
The Morris worm turns 25 this year, so you might expect we’d be well past repeating the software faults of that earlier, more innocent era.
HP’s bug isn’t so much a coding mistake as a operational problem in the company’s build-test-and-ship process.
As the US CERT puts it:
Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.
A remote unauthenticated attacker can connect to the telnet debug shell and gain unauthorized access to data.
You read that correctly: a telnet debug shell, inadvertently compiled into the shipping build of the firmware.
Morris’s worm, as you will remember if you were there at the time, or will probably have read if you’re a youngster, was an Advanced Persistent Threat.
It had multiple attack vectors, just like modern exploit packs that try a range of techniques to break in, hoping you will have forgotten to patch at least one of them.
Debugging code in release builds
One of Morris’s attack vectors made malicious use of a debug feature in sendmail, the all-but-ubiquitous email server of the day.
Many sites had inadvertently set up sendmail on their live servers with debugging code compiled in and turned on, meaning that they could almost trivially be owned by Morris’s worm.
Debugging code is an all-but-unavoidable part of any development project, aimed at helping you to understand more precisely how your code behaves internally.
This often means that debugging code is a security nightmare, since it may allow software behaviour which is unsuitable for a shipping product, such as introspection (a fancy word for peeking inside data structures that are usually off limits to other users), and authentication bypasses.
So, debug code is typically compiled out altogether in a release build.
Telnet considered harmful
And telnet, which some young sysadmins may never actually have seen or used, much as they have probably never actually dialled a telephone, shouldn’t really be anywhere, ever.
Telnet is to command-prompt logins what HTTP is to administration consoles: unencrypted, insecure and out of place in 2013.
Usernames and passwords travel unencrypted over the network, and the contents of the session can easily be sniffed and even modified.
That’s what makes possible the potential data and password leakage referred to above.
So, telnet is typically left out altogether in a release build, or reserved only for initial configuration.
HP has now patched the afflicted firmware for the affected printers, and is encouraging its customers to upgrade if they have one of these models:
- HP LaserJet Pro P1102w
- HP LaserJet Pro P1606dn
- HP LaserJet Pro M1213nf MFP
- HP LaserJet Pro M1214nfh MFP
- HP LaserJet Pro M1216nfh MFP
- HP LaserJet Pro M1217nfw MFP
- HP HotSpot LaserJet Pro M1218nfs MFP
- HP LaserJet Pro M1219nf MFP
- HP LaserJet Pro CP1025nw
- HP LaserJet Pro CP1025nw
(MFP stands for Multifunction Printer.)
If you have one of those models, you may as well upgrade your firmware.
And if you’re a programmer or a software tester, always be on your guard for internal-only software builds escaping into the wild!
3 comments on “HP printers in 1980s-style firmware misconfiguration boo-boo”
Interesting – as far as I know, the telnet shell's been around for a good few years (after all, it's what enables the changing default printer message prank)- I wonder what prompted the advisory? Presumably somebody found a way to do something more malicious than make the printer display say "Insert Coin" when idle…
The changing default message prank, for anyone interested, involved telnetting to the printer's IP on port 9100 (it would log you in without any prompting) and simply typing @PJL RDYMSG DISPLAY="YOUR MESSAGE HERE"
I have updated my P1102w printer last week. Be careful as firmware updates turn off web printing and you have to re-enable it. Also, they won't let you use the printer email you used last time. For example, if your email was email@example.com you can't chose it. Instead you have to opt for firstname.lastname@example.org. Thus, you have to delete the printer in Google cloud print (if you use it) and re-configure it using the new email.
Errata: (bad link to HP Security Bulletin)
Google search ‘hp.com c03684249’, second item