Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4343 Xerox Security Bulletin XRX19-029 18 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox FreeFlow Print Server Publisher: Xerox Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2019-11754 CVE-2019-11753 CVE-2019-11752 CVE-2019-11751 CVE-2019-11750 CVE-2019-11749 CVE-2019-11748 CVE-2019-11747 CVE-2019-11746 CVE-2019-11744 CVE-2019-11743 CVE-2019-11742 CVE-2019-11741 CVE-2019-11740 CVE-2019-11738 CVE-2019-11737 CVE-2019-11736 CVE-2019-11735 CVE-2019-11734 CVE-2019-11733 CVE-2019-11068 CVE-2019-9812 CVE-2019-9518 CVE-2019-9514 CVE-2019-9513 CVE-2019-9512 CVE-2019-9511 CVE-2019-9506 CVE-2019-8070 CVE-2019-8069 CVE-2019-7845 CVE-2019-5849 CVE-2019-2999 CVE-2019-2996 CVE-2019-2992 CVE-2019-2989 CVE-2019-2988 CVE-2019-2983 CVE-2019-2981 CVE-2019-2978 CVE-2019-2975 CVE-2019-2973 CVE-2019-2964 CVE-2019-2962 CVE-2019-2958 CVE-2019-2949 CVE-2019-2945 CVE-2019-2933 CVE-2019-2894 CVE-2019-1212 CVE-2019-1206 CVE-2019-1198 CVE-2019-1197 CVE-2019-1195 CVE-2019-1194 CVE-2019-1193 CVE-2019-1192 CVE-2019-1187 CVE-2019-1186 CVE-2019-1183 CVE-2019-1182 CVE-2019-1181 CVE-2019-1180 CVE-2019-1179 CVE-2019-1178 CVE-2019-1177 CVE-2019-1176 CVE-2019-1172 CVE-2019-1168 CVE-2019-1164 CVE-2019-1163 CVE-2019-1162 CVE-2019-1159 CVE-2019-1158 CVE-2019-1157 CVE-2019-1156 CVE-2019-1155 CVE-2019-1153 CVE-2019-1152 CVE-2019-1151 CVE-2019-1150 CVE-2019-1149 CVE-2019-1148 CVE-2019-1147 CVE-2019-1146 CVE-2019-1145 CVE-2019-1144 CVE-2019-1143 CVE-2019-1140 CVE-2019-1139 CVE-2019-1133 CVE-2019-1113 CVE-2019-1083 CVE-2019-1078 CVE-2019-1057 CVE-2019-1030 CVE-2019-1006 CVE-2019-0736 CVE-2019-0723 CVE-2019-0720 CVE-2019-0718 CVE-2019-0716 CVE-2019-0715 CVE-2019-0714 CVE-2018-4877 CVE-2018-3646 CVE-2018-3640 CVE-2018-3639 CVE-2018-3620 CVE-2018-3615 Reference: ASB-2019.0330 ASB-2019.0323 ASB-2019.0322 ASB-2019.0311 ASB-2019.0290 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2019/11/cert_XRX19-029_FFPSv2_Win10_SecurityBulletin_Nov2019.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX19-029 Xerox FreeFlow Print Server v2 (Windows 10) Supports: o Xerox iGen5 Press Patch Version: October 2019 Security Patch Update Includes: Java 8 Update 231, and Firefox v69.0.3 Patches Bulletin Date: November 12, 2019 1.0 Background Microsoft responds to US CERT advisory council notifications of Security vulnerabilities referred to as Common Vulnerabilities and Exposures (CVEs) and develops patches that remediate the Security vulnerabilities that are applicable to Windows 10 and components (e.g., Windows Explorer, .Net Framework, etc.). The FreeFlow Print Server organization has a dedicated development team, which actively reviews the US CERT advisory council CVE notifications, and delivers Security patch updates from Microsoft to remediate the threat of these Security risks for the FreeFlow Print Server v2 / Windows v10 (supporting the Integrated and Standalone platforms) The FreeFlow Print Server organization delivers Security Patch Updates on the FreeFlow Print Server v2 / Windows v10 platform by the FreeFlow Print Server organization on a quarterly (i.e., 4 times a year) basis. The FreeFlow Print Server engineering team receives new patch updates in January, April, July and October, and will test them for supported Printer products (such as iGen5 printers) prior to delivery for customer install. Xerox tests FreeFlow Print Server operations with the patch updates to ensure there are no software issues prior to installing them at a customer location. Alternatively, a customer can use Windows Update to install patch updates directly from Microsoft. If the customer manages their own patch install, the Xerox support team can suggest options to minimize the risk of FreeFlow Print Server operation problems that could result from patch updates. This bulletin announces the availability of the following: 1. October 2019 Security Patch Update o This supersedes the July 2019 Security Patch Cluster 2. Java 8 Update 231 Software o This supersedes Java 8 Update 221 Software 3. Firefox v69.0.3 Software o This supersedes Firefox v68.0.1 See US-CERT Common Vulnerability Exposures (CVE) for the October 2019 Security Patch Update in table below: October 2019 Security Patch Update Remediated US-CERT CVE's CVE-2018-3615 CVE-2019-0736 CVE-2019-1144 CVE-2019-1157 CVE-2019-1180 CVE-2019-1206 CVE-2018-3620 CVE-2019-1006 CVE-2019-1145 CVE-2019-1158 CVE-2019-1181 CVE-2019-1212 CVE-2018-3639 CVE-2019-1030 CVE-2019-1146 CVE-2019-1159 CVE-2019-1182 CVE-2019-2894 CVE-2018-3640 CVE-2019-1057 CVE-2019-1147 CVE-2019-1162 CVE-2019-1183 CVE-2019-7845 CVE-2018-3646 CVE-2019-1078 CVE-2019-1148 CVE-2019-1163 CVE-2019-1186 CVE-2019-8069 CVE-2018-4877 CVE-2019-1083 CVE-2019-1149 CVE-2019-1164 CVE-2019-1187 CVE-2019-8070 CVE-2019-0714 CVE-2019-11068 CVE-2019-1150 CVE-2019-1168 CVE-2019-1192 CVE-2019-9506 CVE-2019-0715 CVE-2019-1113 CVE-2019-1151 CVE-2019-1172 CVE-2019-1193 CVE-2019-9511 CVE-2019-0716 CVE-2019-1133 CVE-2019-1152 CVE-2019-1176 CVE-2019-1194 CVE-2019-9512 CVE-2019-0718 CVE-2019-1139 CVE-2019-1153 CVE-2019-1177 CVE-2019-1195 CVE-2019-9513 CVE-2019-0720 CVE-2019-1140 CVE-2019-1155 CVE-2019-1178 CVE-2019-1197 CVE-2019-9514 CVE-2019-0723 CVE-2019-1143 CVE-2019-1156 CVE-2019-1179 CVE-2019-1198 CVE-2019-9518 See the US-CERT Common Vulnerability Exposures (CVE) for the Java 8 Update 231 Software in table below: Java 8 Update 231 Software Remediated US-CERT CVEs CVE-2019-11068 CVE-2019-2945 CVE-2019-2962 CVE-2019-2975 CVE-2019-2983 CVE-2019-2992 CVE-2019-2894 CVE-2019-2949 CVE-2019-2964 CVE-2019-2978 CVE-2019-2988 CVE-2019-2996 CVE-2019-2933 CVE-2019-2958 CVE-2019-2973 CVE-2019-2981 CVE-2019-2989 CVE-2019-2999 See US-CERT Common Vulnerability Exposures (CVE) for the Firefox v69.0.3 Update in table below: Firefox v69.0.3 Update Remediated US-CERT CVE's CVE-2019-11733 CVE-2019-11737 CVE-2019-11742 CVE-2019-11747 CVE-2019-11751 CVE-2019-5849 CVE-2019-11734 CVE-2019-11738 CVE-2019-11743 CVE-2019-11748 CVE-2019-11752 CVE-2019-9812 CVE-2019-11735 CVE-2019-11740 CVE-2019-11744 CVE-2019-11749 CVE-2019-11753 CVE-2019-11736 CVE-2019-11741 CVE-2019-11746 CVE-2019-11750 CVE-2019-11754 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Update. The customer can manage their own Security Patch Updates using Windows Update services, but we recommend checking with Xerox Service to reduce risk of installing patches that have not tested by Xerox. 2.0 Applicability This October 2019 Security Patch Update (including Java 8 Update 231 software, and Firefox v69.0.3 Patches) is available for the FreeFlow Print Server v2 Software Release running on Windows v10 OS. The FreeFlow Print Server software releases tested with the October 2019 Security Patch Update installed per printer products is illustrated below: Printer Product Patch Update Tested Releases iGen5 Press CP.24.0.18201.0 CP.24.0.19114.0 This is the first FreeFlow Print Server release running on Windows 10 for iGen5. 2.1 Available Patch Update Install Methods Xerox offers the Security Patch Update delivery available over the network from a Xerox server using an application called FreeFlow Print Server Update Manager. The use of Update Manager (GUI-based application) makes it simple for a customer to install Security patch updates. Downloading and installing Security Patch Updates using the Update Manager has the advantage of ease of use as it involves accessing the Security Patch Update from a Xerox Server over the network. In addition, the FreeFlow Print Server Security Patch Update is available for a delivery method using media (DVD/USB) for the install. The FreeFlow Print Server customer schedules a Xerox Analyst or Service Engineer (CSE) to install the Security Patch Update at the customer account. The Analyst/CSE can choose to work with a customer, and allow them to install the Security Patch Updates from DVD/USB media. A customer can also manage Security Patch Updates from a Microsoft server on their own using Windows Update service built into the Operating System. This is a GUI-based application used to schedule automatic patch updates, or to perform manual updates selecting a Check for Updates option. This method has the advantage of retrieving Security patches at the soonest time possible. It also has most risk given the install of these Security patches directly from Microsoft untested on the FreeFlow Print Server platform by Xerox. 2.2 Security Considerations Security of the network, devices and information on a customer network may be a consideration when deciding whether to use the DVD/USB, FreeFlow Print Server Update Manager or Windows Update method of Security Patch Update delivery and install. When using Update Manager, the external Xerox server that includes the Security Patch Update does not have access to the FreeFlow Print Server platform at a customer site. The FreeFlow Print Server platform (using Update Manager) initiates all communication to download the FreeFlow Print Server Security Patch Update, and the communication is secure by TLS 1.0 over HTTPS (port 443) with the Xerox communication server. This communication uses an RSA 2048-bit certificate, SHA2 hash and AES 256-bit stream encryption algorithms. This connection ensures authentication of the FreeFlow Print Server platform for the Xerox server, and sets up encrypted communication of the patch data. The Xerox server does not initiate or have access to the FreeFlow Print Server platform behind the customer firewall. The Xerox server and FreeFlow Print Server system both authenticate each other before making a connection between the two end-points, and patch data transfer. Delivery and install of the Security Patch Update using Update Manager may still be a concern for some highly secure customer locations such as US Federal and State Government sites. Alternatively, delivery and install of Security Patch Updates from DVD/USB media may be more desirable for these highly Security sensitive customers. They can perform a Security scan of the DVD/USB media with a virus protection application prior to install. If the customer does not allow use of DVD/USB media for devices on their network, you can transfer (using SMB, SFTP, or SCP) the Security Patch Update to the FreeFlow Print Server platform, and then install. 3.0 Patch Install Xerox strives to deliver these critical Security Patch Updates in a timely manner. The customer process to obtain FreeFlow Print Server Security Patch Updates (delivered on a quarterly basis) is to contact the Xerox hotline support number. The methods of Security Patch Update delivery and install are over the network using FreeFlow Print Server Update Manager or directly from Microsoft using Windows Update service, and using media (i.e., DVD/UB). We recommend the customer use the FreeFlow Print Server Update Manager or Microsoft Windows Update method if they wish to perform install on their own. This empowers the customer to have the option of installing these patch updates as soon as they become available, and not need to rely on the Xerox Service team. Many customers do not want the responsibility of installing the quarterly Security Patch Update or they are not comfortable providing a network tunnel to the Xerox or Microsoft servers that store the Security Patch Update. In this case, the media install method is the best option under those circumstances. 3.1 Update Manager Delivery The Update Manager is a GUI tool on the FreeFlow Print Server platform used to check for Security updates, download Security updates, and install Security updates. The customer can install quarterly FreeFlow Print Server Security Patch Updates using the Update Manager UI, or schedule Xerox Service to perform the install. Once the Security patches are ready for customer delivery, they are available from the Xerox Edge Host and Download servers. Procedures are available for the FreeFlow Print Server System Administrator or Xerox Service for using the Update Manager GUI to download and install the Security patches over the Internet. The Update Manager UI has a Check for Updates button that can be selected to retrieve and list patch updates available from the Xerox patch server. When this option is selected the latest Security Patch Update should be listed (E.g., October 2019 Security Patch Update for FFPS v2 / Windows 10) as available for download and install. The Update Manager UI includes mouse selectable buttons to download and then install the patches. Xerox uploads the FreeFlow Print Server Security Patch Update to a Xerox patch server that is available on the Internet outside of the Xerox Corporate network once the deliverable has been tested and approved. Once in place on the Xerox server, a CSE/Analyst or the customer can use the Update Manager UI to download and install on the FreeFlow Print Server platform. The customer proxy information is required to be setup on the FreeFlow Print Server platform so it can access to the Security Patch Update over the Internet. The FreeFlow Print Server platform initiates a secure communication session with the Xerox patch server using HTTP over the TSL 1.0 protocol (HTTPS on port 443) using an RSA 2048-bit certificate, SHA2 hash and AES 256-bit stream encryption algorithms. This connection ensures authentication of the FreeFlow Print Server platform for the Xerox server, and sets up encrypted communication of the patch data. The Xerox server does not initiate or have access to the FreeFlow Print Server platform behind the customer firewall. The Xerox server and FreeFlow Print Server system both authenticate each other before making a connection between the two end-points, and patch data transfer. 3.2 DVD/USB Media Delivery Xerox uploads the FreeFlow Print Server Security Patch Update to a secure SFTP site that is available to the Xerox Analyst and Service once the deliverables have been tested and approved. The FreeFlow Print Server patch deliverables are available as a ZIP archive or ISO image file, and a script used to perform the install. The Security Patch Update installs by executing a script, and installs on top of a pre-installed FreeFlow Print Server software release. The install script includes options to install the Security Patch Update directly from DVD/USB media or from the FreeFlow Print Server internal hard disk. A PDF document is available with procedures to install the Security Patch Update using the DVD/USB media delivery method upon request. If the Analyst supports their customer performing the Security Patch Update, then they must provide the customer with the Security Patch Update install document and the Security update deliverables. This method of Security Patch Update install is not as convenient or simple for customer install as the network install methods offered by Update Manger. See the Security Patch Update deliverable filenames and sizes in the table below: Security Patch Update File Windows(R) File Size Size in Bytes (K-bytes) FFPSv2-Win10_SecPatchUpdate_Oct2019.zip 3,171,656 3,247,775,192 FFPSv2-Win10_SecPatchUpdate_Oct2019.iso 3,172,006 3,248,134,144 3.3 Windows Update Delivery Windows Update services enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using Windows Update service, administrators can fully manage the distribution of updates released through Microsoft Update to FreeFlow Print Server platforms on their network. Microsoft uploads the Patch Updates to a server that is available on the Internet outside of the Microsoft Corporate network once patch deliverables have been tested and approved. Installing the Security patches directly from Microsoft using the Windows Update service brings some risk given they have not been tested by Xerox on the FreeFlow Print Server platform. It is required that the customer proxy server information be configured on the FreeFlow Print Server platform so that the Windows Update service can gain access to the Microsoft server over the Internet outside of the customer network. Xerox is not responsible for the Security of the connection to the Microsoft patch server. We recommend manually performing a FreeFlow Print Server System Backup and a Windows Restore Point backup just prior to checking for the Windows patch updates and installing them. This will give assurance of FreeFlow Print Server system recovery if the installed Security patches create a software problem or results in the FreeFlow Print Server software becoming inoperable. The Security Patch Update makes changes to only the Windows 10 OS system, and not the FreeFlow Print Serversoftware. Therefore, the restore of a Windows Restore Point (prior to patch install) will reverse install of the Security Patch Update if recovery is required, and is much faster than the full FreeFlow Print Server System Restore. We recommend performing a full FreeFlow Print Server System Backup for redundancy purposes in case the checkpoint restore does not work. The only option for FreeFlow Print Server system recovery may be the FreeFlow Print Server System Backup if the system should become inoperable such that Windows is not stable. Make sure to store the FreeFlow Print Server System backup onto a remote storage location or DVD/USB media. 4.0 Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdH06GaOgq3Tt24GAQhhqQ/+NNexARtazR+halX61xuOIfK1RDopMxrv y8c2bcLhn0RpWN+j5uuafpK1wzBgNMI8MQwEPmqah8/LReKpnJQOVQ+Io7bCMBd4 Uh9ygyQtdwHeDvTCbZf1jPq5xf802efLkldjITgzu8yIRjK3DhoTofzDkKPjAOzf 890L5PYsuUIbUW+xgi9GaEPP5n3PQZTEpuD2z/mtaG1mbtiIJLGgQclFqtB5xy1n g29Uxvhd9HAJE/iwFy6GZ5/JhRXOtSmCD4cGe66tXYzQ87FJjipbnSVCvl3COoI6 0OF0DtyPiLP8rode/gQ3XCy0kVDgsJ7RIYzYD4ILNp47IUBIBJSDLnaOVTALBMXY fRgP1Ypqu9FAUOt4eL1rT3dIRmArs8xVA9VcyQiU2AvMtDrvTVBITvNU8Vde9ycw eA/ikcJqzhKE1sr2qbvb7Uige8XevsSqL8r0UdFhvVtQRAfGBFb9v3/XXzCw3K+D HcdnyNgvBGydB1E+ghOSUO31YbnvZefs+LC4E7qv7CCON/oOr+Xm2LW+ry/yTtts s8fVgnTytnCNgIfzauzeXn6GdDe+VGwBcsyaTiCjLxnDOLOcOY2hL2gEcDaOP0Ds f/V7IJlZSWDbCxFFWnSlGB83GIgXReRVFQACvIlgEhoil+tRc+gBNco9HUdBr/q6 8EvFAugbbMY= =zA4f -----END PGP SIGNATURE-----