-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Intelligent Peripherals Create Security Risk December 8, 1998 17:00 GMT Number J-019 ______________________________________________________________________________ PROBLEM: Improper installation of intelligent peripherals may cause the machines to be compromised. PLATFORM: All intelligent peripherals connected to the Internet requiring an IP address that have the capability of storing images in memory and/or onto an internal hard drive. Some of these systems have the capability of running inet daemons such as ftp, telnet, and others. DAMAGE: By exploiting the non-passworded accounts, remote users may gain access to the system and jeopardize sensitive information. SOLUTION: Follow the manufacture's installation instructions and password all default accounts. CIAC recommends that all unneeded daemons be turned off. ______________________________________________________________________________ VULNERABILITY Risk is high. CIAC has received reports of intelligent ASSESSMENT: peripherals such as printers, being compromised by intruders and print jobs being redirected to other machines. Sensitive information was potentially compromised. ATTENTION: Please pass this information to all administrators who use printers, copiers, faxes, and scanners connected to a network. ______________________________________________________________________________ CIAC is aware of security risks associated with intelligent peripherals. Although these devices do not 'look like' computers, they actually have the internal components of one. In fact, some printers utilize a SPARC CPU board that runs the Solaris UNIX operating system. Xerox has a sophisticated device that allows users to copy, fax, scan, and print documents. This device utilizes a network UNIX hard disk that conforms to the UNIX standard for file directories and hence it has the capability of storing images in memory. For this device, Xerox recommends that the user network information be secure. This information includes network ID’s, network passwords, network file locations, user network names, and user passwords. In most cases, the more complex the functionality the device features, the higher the security risks. However, with proper installation and configuration the risks are reduced. Throughout the past year CIAC has received reports of peripherals, mostly printers that were compromised. The following examples, regardless of the device type and manufacture, indicate the importance of properly installing these devices to the network. Codonics NP-1600 Printer In March, CIAC was notified of a Codonics NP-1600 printer being compromised. The printer utilizes a SPARC CPU board and runs the Solaris UNIX operating system. This implies that the printer may have user accounts, as well as daemons running, that may be used to compromise the device. The printer is released from the manufacture with default accounts without passwords (null accounts). However, the manufacture gives instructions and guidance on how to install and configure the printers, as well as warning individuals to password the root account. The printer has inet and rpc daemons running by default. Some of these daemons are needed; however, CIAC recommends that all unneeded daemons be turned off. After receiving this information, CIAC scanned a Codonics printer to gather all the information about the services allowed. According to the system administrator, the printer was configured per the instructions issued by the manufacture. The results of the scan found the printer to be vulnerable only to Denial of Service (DOS) attacks. Listed below are the daemons running by default on a Codonics NP-1600 printer. inet daemons: port type and status 7 (echo) is running. 9 (discard) is running. 13 (daytime) is running. 19 (chargen) is running. 21 (ftp) is running. 23 (telnet) is running. 37 (time) is running. 79 (finger) is running. 111 (sunrpc) is running. 512 (exec) is running. 513 (login) is running. 514 (shell) is running. 515 (printer) is running. 540 (uucp) is running. 741 (UNKNOWN) is running. rpc daemons: program vers proto port 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100087 10 udp 32772 100011 1 udp 32773 rquotad 100002 2 udp 32774 rusersd 100002 3 udp 32774 rusersd 100012 1 udp 32775 sprayd 100008 1 udp 32776 walld 100001 2 udp 32777 rstatd 100001 3 udp 32777 rstatd 100001 4 udp 32777 rstatd 100068 2 udp 32778 100068 3 udp 32778 100068 4 udp 32778 100083 1 tcp 32771 200 1 udp 740 200 1 tcp 741 HP Jet Direct Printer In September, CIAC received information of a HP Jet Direct printer being hijacked by a foreign hacker. All print jobs sent to the printer were actually sent to the print server in the foreign country. An intruder can redirect all print jobs by becoming the print server using the mscan tool against an unprotected printer. There are two passwords that need to be set to protect the printer. To prevent this type of activity, use the HP Jet Admin Utility to password protect the device. If your printer appears to be operational but is not printing, view the status of the printer using the HP Jet Admin Utility. To check the status of the printer, do the following: 1) Select 'Device' 2) Select 'Properties' 3) Select 'Diagnostics' tab 4) Click on 'TCP/IP' 5) Click on 'General' At this level, the 'Server Address' is visible. The IP address display should be from the machine you are connecting from. Check to ensure it’s the correct machine address. If not, you may kill the active connection and enable the queue using HP Jet Admin Utility. This will return control of the printer to your local network and the print jobs already queued should print. Scanning returns Interesting Results While scanning a subnet recently, the scanner was unable to identify some of the machines associated with a series of IP addresses. However the scanner did list the services allow by each machine. Upon farther investigation, CIAC determined these IP addresses were assigned to printers. The following ports and services were allowed by one of the printers: 23 telnet 80 httpd 515 printer 161 snmp server An individual could use the telnet protocol to login and since the password capability was disabled thus allowing free access to the printer and its telnet configuration setup. Below is a sample of a JetDirect printer telnet configuration setup: Firmware Rev.: G.07.03 MAC Address: XX:XX:XX:XX:XX:XX (remove to preserve the identity) Config By: USER SPECIFIED IP Address: XXX.XXX.XXX.XX (remove to preserve the identity) Subnet Mask: 255.255.255.0 Default Gateway: XXX.XXX.XXX.XXX (remove to preserve the identity) Syslog Server: Not Specified Idle Timeout: 120 Seconds Set Cmnty Name: Not Specified Host Name: Not Specified DHCP Config: Disabled Passwd: Disabled IPX/SPX: Enabled DLC/LLC: Enabled Ethertalk: Enabled Banner page: Enabled CIAC highly recommends that printers with this type of capability enable password protection and turn-off all unneeded services. In most cases ftp, telnet, and httpd are rarely needed for printers. Conclusion Today, printers and copiers are more complex and with this complexity comes security risks. Non-passworded default accounts are a major security risk regardless of the operating system and the platforms used. Allowing access to an unprotected device may lead to other devices being compromised. To tighten down your systems, make sure all accounts have passwords and that all unneeded daemons are turned off. Follow the installation instructions provided by the manufacture. If the instructions are not clear, call the manufacture and ask for assistance. Remember hijacking print jobs may jeopardize confidentiality. To check for non-password accounts use Security Profile Inspector for Networks (SPI-NET) or Computer Oracle and Password System (COPS). To download: SPI-NET http://ciac.llnl.gov/cstc/spi/spinet.html COPS ftp://coast.cs.purdue.edu/pub/tools/unix/cops-perl.tar.gz ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-009: Cisco IOS Command History Release at Login Prompt J-010: SGI Buffer Overflow Vulnerabilities ( xterm(1), Xaw library) J-011: Microsoft IE 4.01 Untrusted Scripted Paste (Cuartango Vul.) J-012: SGI IRIX routed(1M) Vulnerability J-013: SGI IRIX autofsd Vulnerability J-014: IBM AIX automountd Vulnerability J-015: HP SharedX Denial-of-Service Vulnerability J-016: Cisco IOS DFS Access List Leakage Vulnerabilities J-017: HP-UX vacation Security Vulnerability J-018: HTML Viruses -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNm21wrnzJzdsy3QZAQG1yAP/UUXsc4fHhJjIDT1i6D2p7QXTnuGWfZIO WJ8UtiFu2O6nRLXsO/aLxB3rpPkIyhckeSNcsY4nHTDadtxU+jKPGsI34C60dBVW EAgcL/j3yWfJh+J6MAk2C+Hom2954AywMVa8LZh2Rs+7vn1jMsz5SSST/+SXU+jp jVAGG1G8tw8= =aIiC -----END PGP SIGNATURE-----