ESB-2018.0714 - [Win][Appliance] Xerox FreeFlow Print Server: Access privileged data - Existing account 2018-03-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0714
        Xerox advises patching for Meltdown & Spectre, will provide
                             physical versions
                               12 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xerox FreeFlow Print Server
Publisher:         Xerox
Operating System:  Windows
                   Network Appliance
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ESB-2018.0042.2

Original Bulletin: 
   https://security.business.xerox.com/wp-content/uploads/2018/03/cert_XRX18-010_FFPS-Windows_MeltdownAndSpectreUpdate_Mar2018.pdf

Comment: Xerox advises installing the Microsoft Windows patch and the Dell BIOS
         patch on its FreeFlow Print Server computers, and will provide these
         updates on physical media if requested.

- --------------------------BEGIN INCLUDED TEXT--------------------

Xerox Security Bulletin XRX18-010
Xerox® FreeFlow® Print Server v2.x on Windows Printers Supported:
* Xerox® iGen®5 Press
* Xerox® BrenvaTM HD Production InkJet Printer
Delivery of: Meltdown and Spectre Intel Design Flaw Patches Bulletin Date: March
8, 2018


1.0 Background

This bulletin announces security patch deliverables for Windows-based FreeFlow®
Print Server products to mitigate the highly critical Meltdown and Spectre
vulnerabilities recently announced by the US-CERT advisory council. These are
two different Central Processing Unit (CPU) flaws that impact hardware, software
and the Windows Operating System. For more information on the Meltdown and
Spectre vulnerabilities refer to the Xerox URL below:
https://security.business.xerox.com/en-us/news/potential-vulnerability-affects-
intel-processors/
These are vulnerabilities referred to as “speculative execution side-channel
attacks” effecting modern processors (Intel, AMD and ARM) and operating systems
such as Microsoft® Windows®. There are two components that must be applied to
the FreeFlow® Print Server / Windows platform to ensure that the Meltdown and
Spectre vulnerabilities are mitigated. An install document is available to
install these components.
They are as follows:
1. Windows Security Patches (CVE-2017-5753 and CVE-2017-5754 per January 2018
Security Patch Update)
2. Dell BIOS Firmware Update (CVE-2017-5715 per Dell BIOS firmware update)
We recommend that the Windows OS Security patches be installed before the BIOS
firmware update per procedures provided in an install document available with
the patch updates. There are also Windows registry settings that must be updated
to complete the mitigation of these security vulnerabilities.
Microsoft and Dell claim that the Meltdown and Spectre mitigation updates (E.g.,
patches and BIOS firmware) may have performance impacts on the FreeFlow Print
Server / Windows platform. The FreeFlow® Print Server engineering team has run
performance tests with these updates and found that there should be minimal to
no impacts depending on the complexity of jobs bring processed and printed.
The US-CERT advisory council announced three CVE’s for the Meltdown and Spectre
vulnerabilities.

Meltdown/Spectre Common Vulnerability Exposure (CVE) Table

US-CERT CVE
Type
CVE Description CVE-2017-5753
Spectre Variant 1
bounds check bypass
Systems with microprocessors utilizing speculative execution and branch
prediction may allow unauthorized disclosure of information to an attacker with
local user access via a side-channel analysis.

CVE-2017-5715
Spectre Variant 2
branch target injection
Systems with microprocessors utilizing speculative execution and indirect
branch prediction may allow unauthorized disclosure of information to an
attacker with local user access via a side-channel analysis.

CVE-2017-5754
Meltdown Variant 3
rogue data cache load
Systems with microprocessors utilizing speculative execution and indirect branch
prediction may allow unauthorized disclosure of information to an attacker with
local user access via a side-channel analysis of the data cache.

Note: Microsoft® has discovered compatibility issues with some Anti-Virus (AV)
software products. It is important to make sure that your AV software installed
on the FreeFlow® Print Sever is the latest release and compatible with the
Windows kernel. See the information at the Microsoft® URL below:
https://support.microsoft.com/en-in/help/4072699/january-3-2018-windows-
security-updates-and-antivirus-software


2.0 Applicability

The Meltdown and Spectre patches are available for all currently supported
FreeFlow® Print Server platforms and the Xerox printer products they support.
See the supported products below:

Print Server Software
FreeFlow® Print Server 2.1

Dell Platform
Dell T630i (13G)

Xerox Printer Product
Xerox® iGen®5 Press
Xerox® BrenvaTM HD Production InkJet Printer

There are unique BIOS firmware updates for the different Dell platforms used as
a Digital Front End (DFE) for the Xerox printer products in the above table.


2.1 Available Patch Update Install Methods

FreeFlow® Print Server Security patch updates are available for a delivery
method using media (DVD/USB) for the install. The FreeFlow® Print Server
customer schedules a Xerox Analyst or Service Engineer (CSE) to install the
Security Patch Update at the customer account. Xerox® offers the Security Patch
Update delivery available over the network from a Xerox server on the Internet
using an application called Update Manager. The updates required for Meltdown
and Sprecrte mitigation cannot be completely installed using the Update Manager
UI or Windowsupdate.
WeareonlymakingtheWindowspatchesavailablefromtheUpdateManagerUIbyinstalling the
January 2018 Security Patch Update, or installing directly from Microsoft using
Windows Update. The BIOS firmware update for FreeFlow Print Server (Dell X86
platform) must be installed from DVD or USB media.

Update Manager is a GUI-based application used to schedule automatic patch
updates, or to perform manual updates selecting a ‘Check for Updates’ option.
This method has the advantage of retrieving Security patches at the soonest time
possible. It also has most risk given the install of these Security patches
directly from Microsoft® untested on the FreeFlow® Print Server platform by
Xerox®. One thing to note is that the Dell BIOS firmware update is not delivered
by Microsoft, and must be provided by a Xerox CSE or Analyst. The Analyst/CSE
can choose to work with a customer, and allow them to install Security Patch
Updates from DVD/USB media, using the Update Manager UI (FreeFlow Print Server
application), or using Windows Update. It is always good practice to first
perform System Backup of the FreeFlow Print Server v2 / Windows software, and
archiving it to mitigate any risks of adverse impacts that could occur by
installing these security patch updates.

The use of Update Manager (GUI-based application) makes it simple for a customer
to install Security patch updates. Downloading and installing Security Patch
Updates using the Update Manager has the advantage of “ease of use” as it
involves accessing the Security Patch Update from a Xerox Server over the
network. In addition, the FreeFlow Print Server team performs testing of
Security Patch Updates prior to releasing them to make sure that they do not
cause any adverse impacts to job processing/printing, or render the printer
inoperable.


2.2 Security Considerations

Security of the network devices and information on a customer network may be a
consideration when deciding whether to use the DVD/USB, FreeFlow® Print Server
Update Manager or Windows Update method of Security Patch Update delivery and
install. When using Update Manager, the external Xerox server that includes the
Security Patch Update does not have access to the FreeFlow® Print Server
platform at a customer site. The FreeFlow® Print Server platform (using Update
Manager) initiates all communication to download the FreeFlow® Print Server
Security Patch Update, and the communication is “secure” using HTTP over the TSL
1.0 protocol (HTTPS on port 443) using an RSA 2018-bit certificate, and SHA2
hash, and AES 256-bit stream encryption algorithms.
Delivery and install of the Security Patch Update using Update Manager may still
be a concern for some highly “secure” customer locations such as US Federal and
State Government sites. Alternatively, delivery and install of Security Patch
Updates from DVD/USB media may be more desirable for these highly Security
sensitive customers. They can perform a Security scan of the DVD/USB media with
a virus protection application prior to install. If the customer does not allow
use of DVD/USB media for devices on their network, you can transfer (using SMB,
SFTP, or SCP) the Security Patch Update to the FreeFlow® Print Server platform,
and then install.


3.0 Patch Install

Xerox® strives to deliver these critical Security Patch Updates in a timely
manner. The customer process to obtain FreeFlow® Print Server Security Patch
Updates is to contact the Xerox hotline support number. The methods of Security
Patch Update delivery and install are over the network using Update Manager,
directly from Microsoft® using Windows Update service, and using DVD/USB media.
It is always good practice to first perform System Backup of the FreeFlow Print
Server v2 / Windows software, and archiving it to mitigate any risks of adverse
impacts that could occur by installing these security patch updates.
We recommend the customer use the FreeFlow® Print Server Update Manager or
Microsoft® Windows Update method if they wish to perform install on their own.
This empowers the customer to have the option of installing
patchupdatesassoonastheybecomeavailable,andnotneedtorelyontheXeroxServiceteam.
However,for the Meltdown and Spectre mitigation updates it is required to
deliver and install the Dell BIOS firmware update from DVD or USB media. Many
customers do not want the responsibility of installing Security patches or they
are not comfortable providing a network tunnel to the Xerox® or Microsoft®
servers that store Security patches. In this case, the media install method is
the best option under those circumstances.


3.1 DVD/USB Media Delivery

Xerox® uploads the FreeFlow® Print Server Security patches to a “secure” SFTP
site that is available to the Xerox Analyst and Service once the deliverables
have been tested and approved. The FreeFlow® Print Server patch deliverables are
available as a ZIP archive or ISO image file, and a script used to perform the
install. The Security patches are installed by executing a script, and install
on top of a pre-installed FreeFlow® Print Server software release. The Security
patches can be installed from DVD/USB media, or from the FreeFlow® Print Server
internal hard disk. A PDF document is available with procedures to install the
Security Patch Update using the DVD/USB media delivery method upon request.
The method used to install a Security Patch Update is copy or transfer the ZIP
file update to a directory created under the C:\Users\Administrator directory
(Windows Administrator home directory), extract it, and then execute a script by
typing the script name preceded by a dot and forward slash (E.g.,
./<shell_script_name>).
If the Analyst supports their customer performing the Security Patch Update,
then they must provide the customer with the Security Patch Update install
document and the Security update deliverables. This method of Security Patch
Update install is not as convenient or simple for customer install as the
network install methods offered by Update Manger or Windows Update.


3.2 Update Manager Delivery

The Update Manager is a GUI tool on the FreeFlow® Print Server platform used to
check for Security updates, download Security updates, and install Security
updates. The customer can install FreeFlow® Print Server Security patches using
the Update Manager UI, or schedule Xerox Service to perform the install. The
Dell BIOS firmware update required for mitigation of the Meltdown and Spectre
vulnerabilities are not available using Update Manager. They must be delivered
and installed using DVD or USB media.
Once Security patches are ready for customer delivery, they are uploaded to the
Xerox communication server (a.k.a., Download Manager server). Procedures are
available for the System Administrator or Xerox Service for using the Update
Manager GUI to download and install Security patches over the Internet. The
Update Manager UI has a ‘Check for Updates’ button that can be selected to
retrieve and list patch updates available from the Xerox patch server. When this
option is selected the latest Security Patch Update should be listed (E.g.,
January 2018 Security Patch Update for FreeFlow® Print Server v2) as available
for download and install. The Update Manager UI includes mouse selectable button
options to download and then install the patches.

The customer proxy information is required to be setup on the FreeFlow® Print
Server platform so it can access the Security patches over the Internet. The
FreeFlow® Print Server platform initiates a “secure” communication session with
the Xerox patch server using HTTP over the TSL 1.0 protocol (HTTPS on port 443)
using an RSA 2018- bit certificate, and SHA2 hash, and AES 256-bit stream
encryption algorithms. This connection ensures authentication of the FreeFlow®
Print Server platform with the Xerox® communication server, and sets up
encrypted communication for the patch data transfer. The Xerox® communication
server does not initiate or have access to the FreeFlow® Print Server platform
behind the customer firewall. The Xerox® communication server and FreeFlow®
Print Server system both authenticate each other before making a connection
between the two end-points, and performing the patch data transfer.


3.3 Microsoft Windows Update Method

Another method to install the Security patches is directly from Microsoft using
the Windows Update service. Installing the Security patches directly from
Microsoft using this service bring some risk given they have not been tested by
Xerox on a FreeFlow® Print Server platform. It is required that the customer
proxy server information be configured on the FreeFlow® Print Server platform so
that it can gain access to the Microsoft server over the Internet outside of the
customer network. The Dell BIOS firmware update required for mitigation of the
Meltdown and Spectre vulnerabilities are not available using Windows Update.
They must be delivered and installed using DVD or USB media.
We recommend manually performing a FreeFlow® Print Server System Backup and a
Windows checkpoint backup just prior to checking for the Windows patch updates
and installing them. This will give assurance of FreeFlow® Print Server system
recovery if installed Security patches create a software problem or results in
the FreeFlowv® Print Server / printer configuration becoming inoperable. The
Security patch updates make changes to only the Windows OS system/files, and not
the FreeFlow® Print Server software. Therefore, the restore of a Windows
checkpoint will reverse install of the Security patches if recovery is required,
and is much faster than the full System Restore from a System Backup. We
recommend performing a full System Backup for redundancy purposes in case the
checkpoint restore does not work.


4.0 Disclaimer

The information provided in this Xerox® Product Response is provided "as is"
without warranty of any kind. Xerox® Corporation disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Xerox® Corporation be liable
for any damages whatsoever resulting from user's use or disregard of the
information provided in this Xerox® Product Response including direct, indirect,
incidental, consequential, loss of business profits or special damages, even if
Xerox® Corporation has been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
damages so the foregoing limitation may not apply.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqYKT4x+lLeg9Ub1AQjIOg/+Kr+kMTnP+jqZfZ8bv3Hh42K2z0lloIiW
+luX405cyVTm6V1mlsEBn03iRuqk2pN+yc1JScTaStqZj4Cs1OpgB9rfRn9JzGCa
bc852OlNEnoI1XtXE66bdZXbfNOP734mRVKfQlp0/DNQEsPr8Tbj8L5qmmHL4xBH
XNzCBoGu85Lwg+pyxJa8K75TmaP6P4TcmCvZwkpAmOipvkoOotTioa056byx0Kgh
B0jwFjYZR3Glitwi9n1Ydv6sRo0szhwxC0ffZmBUNWF1c2qPrvUc/ATb4SQcrCmU
ohtykIxZsxIsZ7a9dSNiEM40kFr2atRGNylxGDQrsLJoQpbJtOtKo98XmIIB/xcB
EwPxd70ZkAX5QLsGDjQkCUrIPIL3Ki65k9yhEEFsdLR5CjG9CjsL09LPk1Fuw2ou
QEQ05ntB/+lyl+H5akg01cyD8oJ6DJ9Uyj0nDq/UjMs4q06+yvW+F7lZmCSObVMO
Q8XCrvSqYsOynvaM7rl4xbLTIe5Kf+p2Oy5Q2u9QJuotQWuRxp+zI/uEJFSs4MMc
J7w/atRohbfb+iNlFqeYH2OY/jwtlnVaMDHtKMYKwlUNgbPy1YDk+JVQ7CbfbqZV
DfCrK74OK31iozhw0awzRuWm9zX+KF1W/cmGWWzRtfExhsWwVBXX33uKo93xyKSr
icBp3FuJVgw=
=l6yq
-----END PGP SIGNATURE-----

« Back to bulletins