IT Security Office

Alert

Directory traversal vulnerability in certain HP LaserJet printers

Posted: 2009-05-20 12:00:00

Summary: A directory traversal vulnerability exists in the web administration interface of certain HP LaserJet printers and digital senders.

Affected Systems:

HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20090323 SPCL014A
HP LaserJet 4350 with firmware prior to 20090323 SPCL014A
HP LaserJet 5200 with firmware prior to 20090305 SPCL0601A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9

Description:

Exploitation of this vulnerability will allow an attacker to access files on the printer that were previously believed to be protected. This may disclose sensitive data to an attacker and may also disclose information to be used in subsequent attacks.

Solution:

Apply firmware updates supplied by HP. Additionally, if possible, ensure access to printers is limited to the least number of users possible. Ensure that all administrative interfaces are password protected and disable any methods of access that are not used.

References:

http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01623905&admit=109447626+1242837663605+28353475

Source:

http://www.securityfocus.com/bid/33611/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4419

Organization

Projects

Services

Resources

Security Issues

Contact ITSO

Other Security Sites