Bugtraq mailing list archives
Summary re: Xerox N40 printers and Code Red worm
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Sun, 12 Aug 2001 12:21:07 -0400 (EDT)
Back last Thursday, I wrote (in response to griping about Xerox printers being killed by Code Red and someone's saying "buy HP instead")
Is HP any better? I have a IIIsi and haven't found any way to stop it from taking print jobs from anyone who can connect to port 9100, so I have had to put it in the RFC1918 part of the house LAN.
This is a summary of what responses I've gotten, if our illustrious Aleph One thinks it's worth the posting. :-) The resposnes I've seen have fallen into two general classes. One is the "what's a printer doing outside your firewall/NAT box" attitude. As for that, I don't do NAT (it breaks the assumptions underlying IP too badly, breaking too many higher-layer protocols), and it *is* inside what firewalling I'm doing. (My firewall is really minimal, since my attitude towards firewalls is that they're saying "I know I've got broken software but rather than fix it I'd rather try to hide the holes". Hard shell, soft and chewy interior. That's why the printer was so annoying, because in this respect I saw it as broken and unfixable.) The other, largest, class says to frob with my bootp/dhcp configuration and get it to TFTP a config file. I haven't been doing bootp/dhcp; I configure the printer from its front panel. I'm not sure how reasonable I think it is to provide ACLs but only via some config mechanisms; in my case, I would rather leave it in the 1918 part of my house LAN than make it depend on having a bootp/dhcp server up. One message from HP gave a good deal more info, saying it was also possible to use telnet or the thing's Web server. If it's possible to push-change its configuration over the net, that's a pretty major security issue right there; it's definitely staying right where it is, in 1918 space. (I'm not quite sure what sort of mind it takes to see a webserver in a printer as a feature, and I don't think I want to know.) Two people pointed me at http://www.hp.com/cposupport/networking/support_doc/bpj05999.html. Unfortunately, the address picked for www.hp.com (192.151.52.13) is one of the many webhosts with the won't-frag disease, the problem outlined in RFC 2923 section 2.1, at least from where I sit. I could play guessing games with the rest of the addresses, but it doesn't seem worthwhile, especially since it probably won't say anything not already covered above. Two people said, basically, "use a newer printer". I have two responses to that: (1) this was about using existing hardware - the message that started this all off said (of Xerox) "They say they have lots of security on the current models. Well that's great if you're buying their current products, but not so great if you are a past customer."; (2) "use a newer printer" is easy to say when it's someone else's money - send me the price of a suitable upgrade and I'll get one and shut up. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Summary re: Xerox N40 printers and Code Red worm der Mouse (Aug 12)