copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2013.0411 - [Printer] Xerox DocuColor 242-252-26...
 

ESB-2013.0411 - [Printer] Xerox DocuColor 242-252-262 printers: Multiple vulnerabilities
Date: 20 March 2013
References: ASB-2012.0021  ASB-2013.0025  ESB-2013.0300  ESB-2013.0309  ESB-2013.0316  ESB-2013.0365  ESB-2013.0366  ESB-2013.0383  ESB-2013.0399  ESB-2013.0404  
ESB-2013.0487  ESB-2013.0526  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0411
            Vulnerability Note VU#737740 Fiery EXP260 2.0 print
              controllers use a vulnerable version of OpenSSL
                               20 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xerox DocuColor 242-252-262 printers
Publisher:         US-CERT
Operating System:  Printer
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0169 CVE-2013-0166 CVE-2012-2333
                   CVE-2012-0884 CVE-2011-4619 CVE-2011-4577
                   CVE-2011-4576 CVE-2011-4109 CVE-2011-4108
                   CVE-2010-4180 CVE-2010-3864 

Reference:         ASB-2013.0025
                   ASB-2012.0021
                   ESB-2013.0404
                   ESB-2013.0399
                   ESB-2013.0383
                   ESB-2013.0366
                   ESB-2013.0365
                   ESB-2013.0316
                   ESB-2013.0309
                   ESB-2013.0300

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/737740

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#737740
Fiery EXP260 2.0 print controllers use a vulnerable version of OpenSSL

Original Release date: 18 Mar 2013 | Last revised: 19 Mar 2013
Print Document
Tweet
Like Me
Share
Overview

Fiery EXP260 2.0 print controllers used in Xerox DocuColor 242-252-262 printers
use a vulnerable version of OpenSSL (0.9.8o).

Description

Xerox DocuColor 242-252-262 printers are known to use the Fiery EXP260 2.0 
print controller. The Fiery EXP260 2.0 print controller uses OpenSSL for 
SSL/TLS encryption. The version of OpenSSL that comes with the Fiery EXP260 
2.0 print controller is 0.9.8o that is out of date and known to be vulnerable.

Impact

A remote attacker may be able to cause a denial of service or possibly run 
arbitrary code.

Solution

Apply an Update

Apply patch 1-1IJ6ZK. The patch will upgrade OpenSSL to version 0.9.8x. Patch 
1-1IJ6ZK can be obtained from Xerox tech support.

Restrict access

As a general good security practice, only allow connections from trusted hosts
and networks.

Vendor Information (Learn More)

Vendor	Status		Date Notified	Date Updated
EFI	Affected	18 Dec 2012	18 Mar 2013

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group 		Score 	Vector
Base 		6.9 	AV:A/AC:M/Au:N/C:P/I:P/A:C
Temporal 	5.1 	E:U/RL:OF/RC:C
Environmental 	1.0 	CDP:L/TD:L/CR:L/IR:L/AR:L

References

    http://www.support.xerox.com/support/docucolor-242-252-260/downloads/enus.html?associatedProduct=fiery-exp260&operatingSystem=win7x64
    https://www.openssl.org/news/vulnerabilities.html
    http://w3.efi.com/Fiery

Credit

Thanks to Curtis Rhodes for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-0169 CVE-2013-0166 CVE-2012-2333 CVE-2012-0884 CVE-2011-4619
         CVE-2011-4577 CVE-2011-4576 CVE-2011-4109 CVE-2011-4108 CVE-2010-4180 
         CVE-2010-3864

Date Public: 18 Mar 2013

Date First Published: 18 Mar 2013

Date Last Updated: 19 Mar 2013

Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUkdfe4yVqjM2NGpAQLypQ/7BwCnTkmkX4CSfZyWnOHa8GiakOZ9m5Ty
7ZLyuVK3VJBTipzz5yZUkUBiGoVLRa36IAW0gLJOXIky3K9Ag7bAzk46RhF6LYC8
fM+fKP3fQGKt1C3lRjmDGeHDNwBXPexL9vfc8ZxWwmLuPQl9nE/TIPQAsiWtWFHK
zMN4tqFhOSjyhMpowUlUD2SUPNIvQHhgqXyZXqy0HNS46h5jLp8i0uxaMuGxuURZ
70rjrtk6z7tE+0t+yIUP3zyd1Njks5JfUkPd//w3JJMFdxv6koSlY+WO/yJWW+cl
KlbrL28jXbpZUyIH+EIO5WVgbcF2D6CKtblAco5H8iR01wf+0pPEP2eBWR6k68iK
rTJhr2RZPQO//YNy79aUVo2u7VDwBvSB5PNn4Jbbsn+Oy57b8NtbrKFcanZp+A3H
QACWSNdSRK+99/wh9mFCkBmUynY/qwekTyKYYCO7aBAdItQe8VvMzNqDNagcW451
1DgRTCAB7KB70wh54bLj0lgkUjj8g3OdowkK7qd2RJEfAYnWGNhPK5B5mzTbEtXh
tIR7XUGmBpg02NREltRsMSMujpwMAxsoH4Y/nnrjFXdSKa579V3CSHp4/xkHJUHt
TL6yoTXb/M4ldNg1VA3ER58to19cABDJAezaZIkyvUF5kp8Zs5zuZmXOw+hyjPsR
V9F3roMjahs=
=UogF
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=17231