14 DAY TRIAL // HP has published an advisory describing a vulnerability in the web administration interface of several LaserJet printer models and a Digital Sender. The flaw allows a remote attacker to gain read access permissions to system files.
According to HP, the affected products are HP LaserJet 2410, HP LaserJet 2420, HP LaserJet 2430, HP LaserJet 4250, HP LaserJet 4350, HP LaserJet 9040, HP LaserJet 9050, HP LaserJet 4345mfp, HP LaserJet 9040mfp, HP LaserJet 9050mfp, HP Color LaserJet 4730mfp, HP Color LaserJet 9500mfp and HP 9200C Digital Sender. The vulnerability is identified as CVE-2008-4419 in the Common Vulnerabilities and Exposures system.
The Vulnerability Research Team from Digital Defense, which is credited with the discovery of the flaw, notes that the flaw originates in the HP-ChaiSOE/1.0 embedded web server and can be exploited by using simple directory traversal techniques. "An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc.," explain the researchers, warning that the "information obtained from an affected host may facilitate further attacks against the host."
Digital Defense ranked the severity of this vulnerability as High, while HP assigned it a score of 7.8 on the Common Vulnerability Scoring System (CVSS). "The information in this Security Bulletin should be acted upon as soon as possible," is noted in the HP advisory. "HP has provided firmware updates and preliminary firmware updates to resolve this vulnerability," the company informs.
Graham Cluley, senior technology consultant at Sophos, points out that the origin of this bug only makes it worse. "This probably isn't the most serious vulnerability that the world has ever seen, but you can imagine that many IT departments will treat patching a printer as a very low priority compared to desktop computers and servers. The danger is that some companies will never find the resources to tackle the lower priority security issues, potentially leaving them in a risky state for the future," explains the security researcher.
This outlines the necessity of monitoring hardware vulnerabilities too and not just the ones affecting operating systems or popular software like browsers or e-mail clients, but it is unlikely that system administrators will be too keen on following up with security bulletins from companies like HP. The very successful and fast spreading Conficker worm, which affected a very large number of business computers, stands as proof that even the serious operating system vulnerabilities are not patched in a timely manner.
"The danger is that some companies will never find the resources to tackle the lower priority security issues, potentially leaving them in a risky state for the future," concludes Mr. Cluley. Meanwhile, Digital Defense suggests the temporary workaround of restricting access to the web administration interface to authorized hosts only, in order to mitigate the risks until the firmware updates are deployed.