Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0230 Xerox announces mitigation for man-in-the-middle attacks on CBC mode cipher suites 12 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox products Operating System: Printer Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Mitigation Member content until: Wednesday, September 11 2019 OVERVIEW Xerox have announced mitigation steps for man-in-the-middle attacks against certain products via certain cipher suites employing Cipher-Block-Chaining mode. Xerox classifies this mitigation as Critical. [1] IMPACT Xerox advises the following: "Servers that utilize TLS1.0, TLS1.1, and TLS1.2 with Cipher-Block-Chaining mode cipher suites enabled are susceptible to man-in-the-middle attacks that exploit MAC padding." [1] The mitigation steps mentioned below apply to the network-connected versions of the following products: Xerox WorkCentre: 5325, 5330, 5335 Xerox Color: 550, 560, C60, C70 Xerox: D95, D95A, D110, D125, D136 Xerox Versant: 180, 3100 Xerox VersaLink: all devices [1] MITIGATION Xerox advises: "To mitigate this vulnerability on Xerox print systems that do not support disabling CBC mode ciphers make sure that the device is setup in a secure environment. In addition: 1. Ensure the system is behind a network firewall. 2. Provide physical security controls to limit access to the network from an internal location. 3. Always install the most current software/firmware versions. For Xerox print systems that do support disabling CBC ciphers, make sure that the servers communicating with these Xerox print systems are configured to disallow use of CBC mode." [1] REFERENCES [1] Xerox Security Bulletin XRX19-015 https://security.business.xerox.com/wp-content/uploads/2019/07/cert_XRX19-015-v1.2.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVDj/WaOgq3Tt24GAQgMOhAAp4up3qNJRnkOeA2+OHfVSnWYyJDL7Qwn 50XFE6EgIe6514tEYNQQ5D1ID4/Pxe+XDw9REjYIwe+je2n2VidxXRr4VreIZOr5 4BJC6T7SV3AbgJ4GcpavTV5Y9M17jsxzDJ3VWUhBaMsf4J0tN4LQ6V+HFt5P53HK Z43zmydhteEiM/i33fiBeF/ulnXnDDmewcLEtoqjruk0eJm8q51m3nlMAZCM3Xvd gIT/So4xN01J1A8NUoTSdbu9Fmk1IkSaTq/elw7iczyiCr9Ceymf9YBvQDUaaG8i +5oVj5Cc/l+vVTEJItYwq95d/+ueKsl/v8B/wB4i3tRX/Y5ilHFEfpcx6Iu5BKEz huIjjrr2GXmBkPC/4njAsQCT75qNJ56J2Pc2RbY/f0zKvuDaO6TiajWJdAqMSNVe oN0BS5ZkvSZTpfBoRpW0NXRCFZbS+6xAB9Da0k8K2Rb9xAt9aj/I/xRVX6BqnCj2 ColkC7a1IbakwLbMpjtlQWDexWfJ/VUJN7S5k2VhstPqQ7ZrzAvJ5+I5RgWqTFwU Eu6rOjFusCuoGCzDxa6M8EcVLtrQto4MzEuLnMngVHAH2wxuabyesApZceXdrcI8 EAbeWT162bs70WnWUfF5Q+PsoLGggkfFtvhMsKIqeVe/lL/vzu/NYTrApyG9EzIL LPd+L/Niazs= =Xqj2 -----END PGP SIGNATURE-----