ESB-2018.1441 - [Win][Appliance] Xerox FreeFlow Print Server: Multiple vulnerabilities 2018-05-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1441
                    Xerox FreeFlow Print Server patched
                                10 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xerox FreeFlow Print Server
Publisher:         Xerox
Operating System:  Windows
                   Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Create Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5148 CVE-2018-5147 CVE-2018-5146
                   CVE-2018-5143 CVE-2018-5142 CVE-2018-5141
                   CVE-2018-5140 CVE-2018-5138 CVE-2018-5137
                   CVE-2018-5136 CVE-2018-5135 CVE-2018-5134
                   CVE-2018-5133 CVE-2018-5132 CVE-2018-5131
                   CVE-2018-5130 CVE-2018-5129 CVE-2018-5128
                   CVE-2018-5127 CVE-2018-5126 CVE-2018-5125
                   CVE-2018-5122 CVE-2018-5121 CVE-2018-5119
                   CVE-2018-5118 CVE-2018-5117 CVE-2018-5116
                   CVE-2018-5115 CVE-2018-5114 CVE-2018-5113
                   CVE-2018-5112 CVE-2018-5111 CVE-2018-5110
                   CVE-2018-5109 CVE-2018-5108 CVE-2018-5107
                   CVE-2018-5106 CVE-2018-5105 CVE-2018-5104
                   CVE-2018-5103 CVE-2018-5102 CVE-2018-5101
                   CVE-2018-5100 CVE-2018-5099 CVE-2018-5098
                   CVE-2018-5097 CVE-2018-5095 CVE-2018-5094
                   CVE-2018-5093 CVE-2018-5092 CVE-2018-5091
                   CVE-2018-5090 CVE-2018-5089 CVE-2018-2815
                   CVE-2018-2814 CVE-2018-2811 CVE-2018-2800
                   CVE-2018-2799 CVE-2018-2798 CVE-2018-2797
                   CVE-2018-2796 CVE-2018-2795 CVE-2018-2794
                   CVE-2018-2790 CVE-2018-1038 CVE-2018-0870
                   CVE-2017-8635 CVE-2017-8618 CVE-2017-8607
                   CVE-2017-8606 CVE-2017-8589 CVE-2017-8578
                   CVE-2016-3485 CVE-2016-3297 CVE-2015-2465
                   CVE-2015-2454 CVE-2015-2381 CVE-2014-6354

Reference:         ESB-2018.1251
                   ESB-2018.1054
                   ESB-2018.1044
                   ESB-2018.0775
                   ESB-2018.0258
                   ESB-2016.2653
                   ESB-2016.1929
                   ESB-2016.1857
                   ESB-2015.1860

Original Bulletin: 
   https://security.business.xerox.com/wp-content/uploads/2018/05/cert_XRX18-015_FFPSv2_Standalone_May2018.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

Xerox Security Bulletin XRX18-015

Xerox® FreeFlow® Print Server v2 Standalone Supports:
Xerox® iGen®5 Press and
Xerox® BrenvaTM HD Production InkJet Printer Products

Patch Version: April 2018 Security Patch Update
Includes: Java 8 Update 172, and Firefox v59.0.2 Patches
Bulletin Date: May 8, 2018

1.0 Background
Microsoft® responds to US CERT advisory council notifications of Security
vulnerabilities referred to as Common Vulnerabilities and Exposures (CVE’s) and
develops patches that remediate the Security vulnerabilities that are
applicable to Windows® 7 and components (e.g., Windows® Explorer®, .Net
Framework®, etc.). The FreeFlow® Print Server organization has a dedicated
development team, which actively reviews the US CERT advisory council CVE
notifications, and delivers Security patch updates from Microsoft® to remediate
the threat of these Security risks for the FreeFlow® Print Server v2 / Windows®
v7 Standalone platform.  The FreeFlow® Print Server organization delivers
Security Patch Updates on the FreeFlow® Print Server v2 / Windows® v7
Standalone platform by the FreeFlow® Print Server organization on a quarterly
(i.e., 4 times a year) basis. The FreeFlow® Print Server engineering team
receives new patch updates in January, April, July and October, and will test
them for supported Printer products (such as the Xerox® iGen®5 Press) prior to
delivery for customer install.  Xerox® tests FreeFlow® Print Server operations
with the patch updates to ensure there are no software issues prior to
installing them at a customer location. Alternatively, a customer can use
Windows® Update to install patch updates directly from Microsoft®. If the
customer manages their own patch install, the Xerox support team can suggest
options to minimize the risk of FreeFlow® Print Server operation problems that
could result from patch updates.  This bulletin announces the availability of
the following:

1. April 2018 Security Patch Update
This supersedes the January 2018 Security Patch Update

2. Java 8 Update 172 Software
This supersedes Java 8 Update 162

3. Firefox v59.0.2 Software
This supersedes Firefox v57.0.3
See the US-CERT Common Vulnerability Exposures (CVE) the Java 8 Update 172
Software remediate in table below:

Java 8 Update 172 Software Remediated US-CERT CVE’s
CVE-2016-3485 CVE-2018-2794 CVE-2018-2796 CVE-2018-2798 CVE-2018-2800
CVE-2018-2814 CVE-2018-2790 CVE-2018-2795 CVE-2018-2797 CVE-2018-2799
CVE-2018-2811 CVE-2018-2815
   
See US-CERT Common Vulnerability Exposures (CVE) the April 2018 Security Patch
Update remediate in table below:

April 2018 Security Patch Update Remediated US-CERT CVE’s
CVE-2014-6354 CVE-2018-0870 CVE-2018-5099 CVE-2018-5110 CVE-2018-5122
CVE-2018-5135 CVE-2015-2381 CVE-2018-1038 CVE-2018-5100 CVE-2018-5111
CVE-2018-5125 CVE-2018-5136 CVE-2015-2454 CVE-2018-5089 CVE-2018-5101
CVE-2018-5112 CVE-2018-5126 CVE-2018-5137 CVE-2015-2465 CVE-2018-5090
CVE-2018-5102 CVE-2018-5113 CVE-2018-5127 CVE-2018-5138 CVE-2016-3297
CVE-2018-5091 CVE-2018-5103 CVE-2018-5114 CVE-2018-5128 CVE-2018-5140
CVE-2017-8578 CVE-2018-5092 CVE-2018-5104 CVE-2018-5115 CVE-2018-5129
CVE-2018-5141 CVE-2017-8589 CVE-2018-5093 CVE-2018-5105 CVE-2018-5116
CVE-2018-5130 CVE-2018-5142 CVE-2017-8606 CVE-2018-5094 CVE-2018-5106
CVE-2018-5117 CVE-2018-5131 CVE-2018-5143 CVE-2017-8607 CVE-2018-5095
CVE-2018-5107 CVE-2018-5118 CVE-2018-5132 CVE-2018-5146 CVE-2017-8618
CVE-2018-5097 CVE-2018-5108 CVE-2018-5119 CVE-2018-5133 CVE-2018-5147
CVE-2017-8635 CVE-2018-5098 CVE-2018-5109 CVE-2018-5121 CVE-2018-5134
CVE-2018-5148

Note: Xerox® recommends that customers evaluate their security needs
periodically and if they need Security patches to address the above CVE issues,
schedule an activity with their Xerox Service team to install this announced
Security Patch Update. The customer can manage their own Security Patch Updates
using Windows® Update services, but we recommend checking with Xerox Service to
reduce risk of installing patches that have not tested by Xerox®.

2.0 Applicability
This April 2018 Security Patch Update (including Java 8 Update 172 software,
and Firefox v59.0.2 Patches) is available for the FreeFlow® Print Server v2
Software Release running on Windows® v 7 OS. The FreeFlow® Print Server
software releases tested with the April 2018 Security Patch Update installed
per printer products is illustrated below:
We have not tested the April 2018 Security Patch Update on all earlier
FreeFlow® Print Server v2 releases, but there should not be any problems on
those releases.

2.1 Available Patch Update Install Methods
Xerox® offers the Security Patch Update delivery available over the network
from a Xerox server using an application called FreeFlow® Print Server Update
Manager. The use of Update Manager (GUI-based application) makes it simple for
a customer to install Security patch updates. Downloading and installing
Security Patch Updates using the Update Manager has the advantage of “ease of
use” as it involves accessing the Security Patch Update from a Xerox Server
over the network.
In addition, the FreeFlow® Print Server Security Patch Update is available for
a delivery method using media (DVD/USB) for the install. The FreeFlow® Print
Server customer schedules a Xerox Analyst or Service Engineer (CSE) to install
the Security Patch Update at the customer account. The Analyst/CSE can choose
to work with a customer, and allow them to install the Security Patch Updates
from DVD/USB media.
    Printer Product
     Patch Update Tested Releases
    iGen®5 Press
     CP.22.1.17236.0
     CP.23.0.18058.0
     BrenvaTM Printer
      CP.22.1.17282.0
  
A customer can also manage Security Patch Updates from a Microsoft® server on
their own using Windows® Update service built into the Operating System. This
is a GUI-based application used to schedule automatic patch updates, or to
perform manual updates selecting a ‘Check for Updates’ option. This method has
the advantage of retrieving Security patches at the soonest time possible. It
also has most risk given the install of these Security patches directly from
Microsoft® untested on the FreeFlow® Print Server platform by Xerox®.

2.2 Security Considerations
Security of the network, devices and information on a customer network may be a
consideration when deciding whether to use the DVD/USB, FreeFlow® Print Server
Update Manager or Windows® Update method of Security Patch Update delivery and
install. When using Update Manager, the external Xerox server that includes the
Security Patch Update does not have access to the FreeFlow® Print Server
platform at a customer site.
The FreeFlow® Print Server platform (using Update Manager) initiates all
communication to download the FreeFlow® Print Server Security Patch Update, and
the communication is “secure” by TLS 1.0 over HTTPS (port 443) with the Xerox
communication server. This communication uses an RSA 2018-bit certificate, SHA2
hash and AES 256-bit stream encryption algorithms. This connection ensures
authentication of the FreeFlow® Print Server platform for the Xerox server, and
sets up encrypted communication of the patch data. The Xerox server does not
initiate or have access to the FreeFlow® Print Server platform behind the
customer firewall. The Xerox® server and FreeFlow® Print Server system both
authenticate each other before making a connection between the two end-points,
and patch data transfer.
Delivery and install of the Security Patch Update using Update Manager may
still be a concern for some highly
“secure”customerlocationssuchasUSFederalandStateGovernmentsites.
Alternatively,deliveryandinstallof Security Patch Updates from DVD/USB media
may be more desirable for these highly Security sensitive customers. They can
perform a Security scan of the DVD/USB media with a virus protection
application prior to install. If the customer does not allow use of DVD/USB
media for devices on their network, you can transfer (using SMB, SFTP, or SCP)
the Security Patch Update to the FreeFlow® Print Server platform, and then
install.

3.0 Patch Install
Xerox® strives to deliver these critical Security Patch Updates in a timely
manner. The customer process to obtain FreeFlow® Print Server Security Patch
Updates (delivered on a quarterly basis) is to contact the Xerox hotline
support number. The methods of Security Patch Update delivery and install are
over the network using FreeFlow® Print Server Update Manager or directly from
Microsoft® using Windows® Update service, and using media (i.e., DVD/UB).
We recommend the customer use the FreeFlow® Print Server Update Manager or
Microsoft® Windows® Update method if they wish to perform install on their own.
This empowers the customer to have the option of installing these patch updates
as soon as they become available, and not need to rely on the Xerox Service
team. Many customers do not want the responsibility of installing the quarterly
Security Patch Update or they are not comfortable providing a network tunnel to
the Xerox® or Microsoft® servers that store the Security Patch Update. In this
case, the media install method is the best option under those circumstances.

3.1 Update Manager Delivery
The Update Manager is a GUI tool on the FreeFlow® Print Server platform used to
check for Security updates, download Security updates, and install Security
updates. The customer can install quarterly FreeFlow® Print Server Security
Patch Updates using the Update Manager UI, or schedule Xerox Service to perform
the install.
Once the Security patches are ready for customer delivery, they are available
from the Xerox Edge Host and Download servers. Procedures are available for the
FreeFlow® Print Server System Administrator or Xerox Service for using the
Update Manager GUI to download and install the Security patches over the
Internet. The Update Manager UI has a ‘Check for Updates’ button that can be
selected to retrieve and list patch updates available from the Xerox patch
server. When this option is selected the latest Security Patch Update should be
listed (E.g.,

April 2018 Security Patch Update for FreeFlow® Print Server v2 Standalone) as available for download and install. The Update Manager UI includes mouse selectable buttons to download and then install the patches.
Xerox® uploads the FreeFlow® Print Server Security Patch Update to a Xerox
patch server that is available on the Internet outside of the Xerox® Corporate
network once the deliverable has been tested and approved. Once in place on the
Xerox server, a CSE/Analyst or the customer can use the Update Manager UI to
download and install on the FreeFlow® Print Server platform.
The customer proxy information is required to be setup on the FreeFlow® Print
Server platform so it can access to the Security Patch Update over the
Internet. The FreeFlow® Print Server platform initiates a “secure”
communication session with the Xerox patch server using HTTP over the TSL 1.0
protocol (HTTPS on port 443) using an RSA 2018-bit certificate, SHA2 hash and
AES 256-bit stream encryption algorithms.

3.2 DVD/USB Media Delivery
Xerox® uploads the FreeFlow® Print Server Security Patch Update to a “secure”
SFTP site that is available to the Xerox Analyst and Service once the
deliverables have been tested and approved. The FreeFlow® Print Server patch
deliverables are available as a ZIP archive or ISO image file, and a script
used to perform the install. The Security Patch Update installs by executing a
script, and installs on top of a pre-installed FreeFlow® Print Server software
release. The install script includes options to install the Security Patch
Update directly from DVD/USB media or from the FreeFlow® Print Server internal
hard disk. A PDF document is available with procedures to install the Security
Patch Update using the DVD/USB media delivery method upon request.
If the Analyst supports their customer performing the Security Patch Update,
then they must provide the customer with the Security Patch Update install
document and the Security update deliverables. This method of Security Patch
Update install is not as convenient or simple for customer install as the
network install methods offered by Update Manger.
See the Security Patch Update deliverable filenames and sizes in the table below:

3.3 Windows® Update Delivery
Windows® Update services enables information technology administrators to
deploy the latest Microsoft® product updates to computers that are running the
Windows® operating system. By using Windows® Update service, administrators can
fully manage the distribution of updates released through Microsoft® Update to
Freeflow® Print Server platforms on their network.  Microsoft® uploads the
Patch Updates to a server that is available on the Internet outside of the
Microsoft® Corporate network once patch deliverables have been tested and
approved. Installing the Security patches directly from Microsoft® using the
Windows® Update service brings some risk given they have not been tested by
Xerox® on the FreeFlow® Print Server platform. It is required that the customer
proxy server information be configured on the FreeFlow® Print Server platform
so that the Window®s Update service can gain access to the Microsoft® server
over the Internet outside of the customer network. Xerox® is not responsible
for the Security of the connection to the Microsoft® patch server.  We
recommend manually performing a FreeFlow® Print Server System Backup and a
Windows® Restore Point backup just prior to checking for the Windows® patch
updates and installing them. This will give assurance of FreeFlow® Print Server
system recovery if the installed Security patches create a software problem or
results in the FreeFlow® Print Server software becoming inoperable. The
Security Patch Update makes changes to only the Windows® 7 OS system, and not
the FreeFlow® Print Server software. Therefore, the restore of a Windows®
Restore Point (prior to patch install) will reverse install of the Security
Patch Update if recovery is required, and is much faster than the full
FreeFlow® Print Server System Restore. We recommend performing a full FreeFlow®
Print Server System Backup for redundancy purposes in case the checkpoint
restore does not work. The only option for FreeFlow® Print Server system
recovery may be the FreeFlow® Print Server System Backup if the system should
become inoperable such that Windows® is not stable. Make sure to store the
FreeFlow® Print Server System backup onto a remote storage location or DVD/USB
media.

4.0 Disclaimer
The information provided in this Xerox® Product Response is provided "as is"
without warranty of any kind. Xerox® Corporation disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Xerox® Corporation be
liable for any damages whatsoever resulting from user's use or disregard of the
information provided in this Xerox® Product Response including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Xerox® Corporation has been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential damages so the foregoing limitation may not apply.  2018 Xerox
Corporation. All rights reserved. Xerox® and Xerox and Design®, FreeFlow®,
iGen®, Brenva® are trademarks of Xerox Corporation in the United States and/or
other countries. BR21127
Other company trademarks are also acknowledged

   Security Patch Update File
     Windows® File Size (Kb)
      Size in Bytes
     FFPSv2-Win7_Standalone_SecPatchUpdate_Apr2018.zip
  2,363,828
   2,420,559,679
    FFPSv2-Win7_Standalone_SecPatchUpdate_Apr2018.iso
    2,364,178
     2,420,918,272

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvPfT4x+lLeg9Ub1AQiIzQ/+Jx6vt0ozfkVUxRcTlN+LBb3VscuFRw0q
6sNdGsYQIZoxfjYm5+tpdrIann1ZGaKsdGlipJ6RPleh0KzoAxG1frBhKetyQc2l
/1VydomPwRo03O3UvxXwBs4MAWD7mLIw+xFAxrRse1nqPh8RuhxcVyvjpYaq4Gqd
M2IygabemxEplMwHt80GItjcdODbYx/pVm/pjmJCu5HB38gw5ETWa170K1/Ovtjp
oiJzWpJsfzY763isEMoJ9DbFCa0DvX8/0MPVqin4wZYXZzeCapf3hcRA+FvxCbMm
DfsIY3wVAwqMl3Bg676gDWRLZOdqVES3uYOMRAxbrocCz7ztwdvC5uVnTD2RZxJ6
aVTORdUOkdzqoj1QzRPeRKFZYbTjw+f5+WHAQCUm0x5J6KD48+iKbn0cMDLXuMKD
VnAJfCJLJ11nkzmo8MeeJZwO7tpw+dsvTk6FGssOcGISqoOa+g3DfNoS6WEx7mch
EGsiw699+WZ3QAFEMU/nKw4wBY7gJXva1VzsLBPC2gtBWc7pl1MOcJ26YzI4D1zz
9tfqNGFObsNu0aYEsbjtOAl4ZgVCFeHkEjbx34cZXSvZpUF6Yh7+o/kES1dxAXHw
tK623xF6TK1DGcbX7dT+72kY3uHvcPWW0IpGxqF7E9c1RZRFAGi++eioYj9WbeVU
1xPfElVunzI=
=Mbz5
-----END PGP SIGNATURE-----

« Back to bulletins