Wednesday, February 11, 2009

HP document disclosure vulnerability

You might be sure that your PC is locked down against attacking crackers, but how often do you update your printer's firmware? If you're a user of HP devices, the answer may well be “not often enough."

According to an article by The Register's John Leyden yesterday, HP is warning customers that certain models of laser printers are vulnerable to a remote exploit which can allow access to the internal settings – including the ability to view and download copies of previously printed files. While the vulnerability isn't likely to result in an opening for further attacks against an internal network, the privacy implications push the severity up a notch.

The affected models – all network capable – are the HP LaserJet 2410, 2420, 2430, 4250, 4350, 9040, and 9050; the HP Color [sic] LaserJet 4730MFP, and 9500MFP; and the HP 9200C Digital Sender. If you – or, more realistically, your company – uses any of these models it would be a good idea to snag an updated firmware which addresses the issue.

The vulnerability – assigned the ID CVE-2008-4419 in the Common Vulnerabilities and Exposures project is thought to be mitigated by standard border protections, but still represents a potentially troublesome security hole – made worse by the fact that most security audits gloss over embedded systems such as printers.

HP has declined to comment on the issue, apart from warning customers that the patch information available as part of its security bulletin should "be acted upon as soon as possible" by customers with affected devices.

Rushing to patch your personal printer before the crackers get their hands on your printouts, or are you hoping to get a sneak peek at what the CEO's been printing out of office hours? Share your thoughts over in the forums.

0 comments: