Re: foofus.net security advisory - Lexmark Multifunction Printer Information Leakage

[Sergio Gelato <Sergio.Gelato () astro su se>]

* percx () foofus net [2011-11-07 15:32:47 +0000]:
> 2. Description:
>
> Passwords can be extracted in plan text from the settings export file.
> http://hostname-IP_Address/cgi-bin/exportfile/printer/config/secure/settingfile.ucf
>
> ============================================================================
>
> 4. Affected Products:
> Lexmark X656de multifunction printer (Kernel=FPR.APS.F184-0, Base=LR.MN.P224a-0)
> Other Lexmark and Dell branded Multifunction printers may also be vulnerable

Might this not have been fixed by the following change in firmware P311e2,
which was released in April 2010 and advertised as fixing various CVEs?
     3) Security related UCF keys can now be imported/exported from the 
        embedded web server.

What I see on an X65x running P510 is that security-related keys are now
in authfile.ucf, authentication is required in order to download that (if one
has configured authentication; hopefully those who haven't done so also haven't
stored any sensitive information in the device), and some passwords are
deliberately not included in the file (presumably because they cannot be
stored as one-way hashes). Of course that doesn't prove that all possible
configurations are now safe but it is a hint that the issue may already
have been taken care of.

> ============================================================================
>
> 5. Solution:
>
>    Insure that a complex password is set on printer.

Really? How does that help against password leakage? 

And why not recommend, or at least mention the possibility of, a firmware 
upgrade? P311e2, P413c and P510/P510b all contain security fixes, and you 
haven't claimed that the latest firmware was still vulnerable. It would have
been interesting to check.