STEAM-ADVISORY NO. 2014040301
PURDUE UNIVERSITY SECURITY TEAM CIRT
Thursday, April 3, 2014 17:30 EDT
Since April 1st 2014 (April Fools' Day), we have received multiple reports that network printers on the campus network have a status message on the display panel that say "VOTE FOR JOSH". From our investigation, we believe that most of these messages are associated with an elaborate April Fools' Day prank. The source of prank is outside of the Purdue University network and has affected printers at other institutions.
While we believe that this is a prank, it highlights a serious issue with network printers on the campus network. In our investigation and network scans, we discovered many network printers on the campus public IP space that are accessible outside of the Purdue network and lack appropriate security controls.
We ask that you review your network printer configuration to avoid security issues.
HP JetDirect network printers with:
- a Purdue public IP address
- no administrator password set
- no network-level access controls
- outdated firmware
Printers with public IP addresses and no security controls on the Purdue campus and other institutions were targeted using HP's JetDirect network interface and known issues in the HP printer software. Power-cycling the printer appears to return it to the previous configuration state. Changing the status message on the printer is a simple and well-known attack.
IT Security & Policy has only received reports related to the status panel messages. However, there is a possibility that this attack can be expanded and some weaknesses may lead to information exposure and misconfigured or damaged printers. Our limited testing has shown that some attacks can disable printers until they are power-cycled. Any HP JetDirect printer without an administrative password can be remotely configured. This includes attackers setting a password on the printer and altering the printer configuration. Printers that have passwords set by attackers must be factory reset.
IT Security & Policy recommends the following actions for each affected printer:
1. Assign an administrator password. (There is no password by default.)
2. Move the printer to a private IP.
3. Move the printer behind a network firewall with limited access.
4. Use HP JetDirect security controls.
a. Access control lists (if available) should be used to limit access to the printer from trusted IP ranges.
b. Unneeded network services should be disabled.
5. Update your printer firmware.
HP JetDirect Security Guidelines
h20628 . www2 . hp . com /km-ext/kmcsdirect/emr_na-c00746792-3 . pdf
(remove spaces from links)
Verify that the printer has an administrative password by attempting to alter the printer configuration. A password should be requested.
Verify that the printer is not accessible outside of the Purdue network by attempting to access the web interface for the printer from outside of the Purdue network.
==STEAM-CIRT CONTACT INFORMATION==
For questions concerning this advisory, please send email to:
Report computer-related abuse to steam-cirt:
purdue . edu /securePurdue/incidentReportForm.cfm
purdue . edu /securepurdue/steam
(remove spaces from links)
Posted by ITSP on April 03, 2014, in Advisory Alerts.