Overview
A vulnerability in certain Hewlett-Packard devices could allow a remote attacker to install unauthorized firmware on an affected system.
Description
Certain Hewlett-Packard Printers and Hewlett-Packard Digital Senders products allow the device's firmware to be updated over the network. The firmware update process can be accomplished via port 9100/tcp and does not require authentication. As a result, a remote attacker could perform unauthorized modification of the device's firmware. Hewlett-Packard notes that the remote firmware update feature is enabled by default on affected systems. The list of affected devices can be found in HP Security Bulletin HPSBPI02728 SSRT100692, and includes many varieties of the HP LaserJet and Color LaserJet products. |
Impact
A remote unauthenticated attacker could install malicious firmware on an affected device. This malicious firmware could allow the attacker to take control of the affected device, gain access to sensitive information sent to or from the device, or cause a denial of service (e.g., through malfunction of the device). |
Solution
Disable Remote Firmware Update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.3 | E:F/RL:OF/RC:C |
| Environmental | 6.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449&jumpid=em_alerts_us-us_Dec11_xbu_all_all_1514802_101529_printersandmultifunctionscanners-copiers-faxes_critical_000_0
- http://h71028.www7.hp.com/enterprise/downloads/HP-Imaging10.pdf
- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03102449-6
- http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf
Acknowledgements
This document was written by Chad Dougherty.
Other Information
| CVE IDs: | CVE-2011-4161 |
| Date Public: | 2011-11-29 |
| Date First Published: | 2011-12-08 |
| Date Last Updated: | 2013-12-02 21:16 UTC |
| Document Revision: | 12 |