Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4343
Xerox Security Bulletin XRX19-029
18 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xerox FreeFlow Print Server
Publisher: Xerox
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11754 CVE-2019-11753 CVE-2019-11752
CVE-2019-11751 CVE-2019-11750 CVE-2019-11749
CVE-2019-11748 CVE-2019-11747 CVE-2019-11746
CVE-2019-11744 CVE-2019-11743 CVE-2019-11742
CVE-2019-11741 CVE-2019-11740 CVE-2019-11738
CVE-2019-11737 CVE-2019-11736 CVE-2019-11735
CVE-2019-11734 CVE-2019-11733 CVE-2019-11068
CVE-2019-9812 CVE-2019-9518 CVE-2019-9514
CVE-2019-9513 CVE-2019-9512 CVE-2019-9511
CVE-2019-9506 CVE-2019-8070 CVE-2019-8069
CVE-2019-7845 CVE-2019-5849 CVE-2019-2999
CVE-2019-2996 CVE-2019-2992 CVE-2019-2989
CVE-2019-2988 CVE-2019-2983 CVE-2019-2981
CVE-2019-2978 CVE-2019-2975 CVE-2019-2973
CVE-2019-2964 CVE-2019-2962 CVE-2019-2958
CVE-2019-2949 CVE-2019-2945 CVE-2019-2933
CVE-2019-2894 CVE-2019-1212 CVE-2019-1206
CVE-2019-1198 CVE-2019-1197 CVE-2019-1195
CVE-2019-1194 CVE-2019-1193 CVE-2019-1192
CVE-2019-1187 CVE-2019-1186 CVE-2019-1183
CVE-2019-1182 CVE-2019-1181 CVE-2019-1180
CVE-2019-1179 CVE-2019-1178 CVE-2019-1177
CVE-2019-1176 CVE-2019-1172 CVE-2019-1168
CVE-2019-1164 CVE-2019-1163 CVE-2019-1162
CVE-2019-1159 CVE-2019-1158 CVE-2019-1157
CVE-2019-1156 CVE-2019-1155 CVE-2019-1153
CVE-2019-1152 CVE-2019-1151 CVE-2019-1150
CVE-2019-1149 CVE-2019-1148 CVE-2019-1147
CVE-2019-1146 CVE-2019-1145 CVE-2019-1144
CVE-2019-1143 CVE-2019-1140 CVE-2019-1139
CVE-2019-1133 CVE-2019-1113 CVE-2019-1083
CVE-2019-1078 CVE-2019-1057 CVE-2019-1030
CVE-2019-1006 CVE-2019-0736 CVE-2019-0723
CVE-2019-0720 CVE-2019-0718 CVE-2019-0716
CVE-2019-0715 CVE-2019-0714 CVE-2018-4877
CVE-2018-3646 CVE-2018-3640 CVE-2018-3639
CVE-2018-3620 CVE-2018-3615
Reference: ASB-2019.0330
ASB-2019.0323
ASB-2019.0322
ASB-2019.0311
ASB-2019.0290
Original Bulletin:
https://security.business.xerox.com/wp-content/uploads/2019/11/cert_XRX19-029_FFPSv2_Win10_SecurityBulletin_Nov2019.pdf
- --------------------------BEGIN INCLUDED TEXT--------------------
Xerox Security Bulletin XRX19-029
Xerox FreeFlow Print Server v2 (Windows 10)
Supports:
o Xerox iGen5 Press
Patch Version: October 2019 Security Patch Update
Includes: Java 8 Update 231, and Firefox v69.0.3 Patches
Bulletin Date: November 12, 2019
1.0 Background
Microsoft responds to US CERT advisory council notifications of Security
vulnerabilities referred to as Common Vulnerabilities and Exposures (CVEs) and
develops patches that remediate the Security vulnerabilities that are
applicable to Windows 10 and components (e.g., Windows Explorer, .Net
Framework, etc.). The FreeFlow Print Server organization has a dedicated
development team, which actively reviews the US CERT advisory council CVE
notifications, and delivers Security patch updates from Microsoft to remediate
the threat of these Security risks for the FreeFlow Print Server v2 / Windows
v10 (supporting the Integrated and Standalone platforms)
The FreeFlow Print Server organization delivers Security Patch Updates on the
FreeFlow Print Server v2 / Windows v10 platform by the FreeFlow Print Server
organization on a quarterly (i.e., 4 times a year) basis. The FreeFlow Print
Server engineering team receives new patch updates in January, April, July and
October, and will test them for supported Printer products (such as iGen5
printers) prior to delivery for customer install.
Xerox tests FreeFlow Print Server operations with the patch updates to ensure
there are no software issues prior to installing them at a customer location.
Alternatively, a customer can use Windows Update to install patch updates
directly from Microsoft. If the customer manages their own patch install, the
Xerox support team can suggest options to minimize the risk of FreeFlow Print
Server operation problems that could result from patch updates.
This bulletin announces the availability of the following:
1. October 2019 Security Patch Update
o This supersedes the July 2019 Security Patch Cluster
2. Java 8 Update 231 Software
o This supersedes Java 8 Update 221 Software
3. Firefox v69.0.3 Software
o This supersedes Firefox v68.0.1
See US-CERT Common Vulnerability Exposures (CVE) for the October 2019 Security
Patch Update in table below:
October 2019 Security Patch Update Remediated US-CERT CVE's
CVE-2018-3615 CVE-2019-0736 CVE-2019-1144 CVE-2019-1157 CVE-2019-1180 CVE-2019-1206
CVE-2018-3620 CVE-2019-1006 CVE-2019-1145 CVE-2019-1158 CVE-2019-1181 CVE-2019-1212
CVE-2018-3639 CVE-2019-1030 CVE-2019-1146 CVE-2019-1159 CVE-2019-1182 CVE-2019-2894
CVE-2018-3640 CVE-2019-1057 CVE-2019-1147 CVE-2019-1162 CVE-2019-1183 CVE-2019-7845
CVE-2018-3646 CVE-2019-1078 CVE-2019-1148 CVE-2019-1163 CVE-2019-1186 CVE-2019-8069
CVE-2018-4877 CVE-2019-1083 CVE-2019-1149 CVE-2019-1164 CVE-2019-1187 CVE-2019-8070
CVE-2019-0714 CVE-2019-11068 CVE-2019-1150 CVE-2019-1168 CVE-2019-1192 CVE-2019-9506
CVE-2019-0715 CVE-2019-1113 CVE-2019-1151 CVE-2019-1172 CVE-2019-1193 CVE-2019-9511
CVE-2019-0716 CVE-2019-1133 CVE-2019-1152 CVE-2019-1176 CVE-2019-1194 CVE-2019-9512
CVE-2019-0718 CVE-2019-1139 CVE-2019-1153 CVE-2019-1177 CVE-2019-1195 CVE-2019-9513
CVE-2019-0720 CVE-2019-1140 CVE-2019-1155 CVE-2019-1178 CVE-2019-1197 CVE-2019-9514
CVE-2019-0723 CVE-2019-1143 CVE-2019-1156 CVE-2019-1179 CVE-2019-1198 CVE-2019-9518
See the US-CERT Common Vulnerability Exposures (CVE) for the Java 8 Update 231
Software in table below:
Java 8 Update 231 Software Remediated US-CERT CVEs
CVE-2019-11068 CVE-2019-2945 CVE-2019-2962 CVE-2019-2975 CVE-2019-2983 CVE-2019-2992
CVE-2019-2894 CVE-2019-2949 CVE-2019-2964 CVE-2019-2978 CVE-2019-2988 CVE-2019-2996
CVE-2019-2933 CVE-2019-2958 CVE-2019-2973 CVE-2019-2981 CVE-2019-2989 CVE-2019-2999
See US-CERT Common Vulnerability Exposures (CVE) for the Firefox v69.0.3
Update in table below:
Firefox v69.0.3 Update Remediated US-CERT CVE's
CVE-2019-11733 CVE-2019-11737 CVE-2019-11742 CVE-2019-11747 CVE-2019-11751 CVE-2019-5849
CVE-2019-11734 CVE-2019-11738 CVE-2019-11743 CVE-2019-11748 CVE-2019-11752 CVE-2019-9812
CVE-2019-11735 CVE-2019-11740 CVE-2019-11744 CVE-2019-11749 CVE-2019-11753
CVE-2019-11736 CVE-2019-11741 CVE-2019-11746 CVE-2019-11750 CVE-2019-11754
Note: Xerox recommends that customers evaluate their security needs
periodically and if they need Security patches to address the above CVE
issues, schedule an activity with their Xerox Service team to install this
announced Security Patch Update. The customer can manage their own Security
Patch Updates using Windows Update services, but we recommend checking with
Xerox Service to reduce risk of installing patches that have not tested by
Xerox.
2.0 Applicability
This October 2019 Security Patch Update (including Java 8 Update 231 software,
and Firefox v69.0.3 Patches) is available for the FreeFlow Print Server v2
Software Release running on Windows v10 OS. The FreeFlow Print Server software
releases tested with the October 2019 Security Patch Update installed per
printer products is illustrated below:
Printer Product Patch Update Tested Releases
iGen5 Press CP.24.0.18201.0
CP.24.0.19114.0
This is the first FreeFlow Print Server release running on Windows 10 for
iGen5.
2.1 Available Patch Update Install Methods
Xerox offers the Security Patch Update delivery available over the network
from a Xerox server using an application called FreeFlow Print Server Update
Manager. The use of Update Manager (GUI-based application) makes it simple for
a customer to install Security patch updates. Downloading and installing
Security Patch Updates using the Update Manager has the advantage of ease of
use as it involves accessing the Security Patch Update from a Xerox Server
over the network.
In addition, the FreeFlow Print Server Security Patch Update is available for
a delivery method using media (DVD/USB) for the install. The FreeFlow Print
Server customer schedules a Xerox Analyst or Service Engineer (CSE) to install
the Security Patch Update at the customer account. The Analyst/CSE can choose
to work with a customer, and allow them to install the Security Patch Updates
from DVD/USB media.
A customer can also manage Security Patch Updates from a Microsoft server on
their own using Windows Update service built into the Operating System. This
is a GUI-based application used to schedule automatic patch updates, or to
perform manual updates selecting a Check for Updates option. This method has
the advantage of retrieving Security patches at the soonest time possible. It
also has most risk given the install of these Security patches directly from
Microsoft untested on the FreeFlow Print Server platform by Xerox.
2.2 Security Considerations
Security of the network, devices and information on a customer network may be
a consideration when deciding whether to use the DVD/USB, FreeFlow Print
Server Update Manager or Windows Update method of Security Patch Update
delivery and install. When using Update Manager, the external Xerox server
that includes the Security Patch Update does not have access to the FreeFlow
Print Server platform at a customer site.
The FreeFlow Print Server platform (using Update Manager) initiates all
communication to download the FreeFlow Print Server Security Patch Update, and
the communication is secure by TLS 1.0 over HTTPS (port 443) with the Xerox
communication server. This communication uses an RSA 2048-bit certificate,
SHA2 hash and AES 256-bit stream encryption algorithms. This connection
ensures authentication of the FreeFlow Print Server platform for the Xerox
server, and sets up encrypted communication of the patch data. The Xerox
server does not initiate or have access to the FreeFlow Print Server platform
behind the customer firewall. The Xerox server and FreeFlow Print Server
system both authenticate each other before making a connection between the two
end-points, and patch data transfer.
Delivery and install of the Security Patch Update using Update Manager may
still be a concern for some highly secure customer locations such as US
Federal and State Government sites. Alternatively, delivery and install of
Security Patch Updates from DVD/USB media may be more desirable for these
highly Security sensitive customers. They can perform a Security scan of the
DVD/USB media with a virus protection application prior to install. If the
customer does not allow use of DVD/USB media for devices on their network, you
can transfer (using SMB, SFTP, or SCP) the Security Patch Update to the
FreeFlow Print Server platform, and then install.
3.0 Patch Install
Xerox strives to deliver these critical Security Patch Updates in a timely
manner. The customer process to obtain FreeFlow Print Server Security Patch
Updates (delivered on a quarterly basis) is to contact the Xerox hotline
support number. The methods of Security Patch Update delivery and install are
over the network using FreeFlow Print Server Update Manager or directly from
Microsoft using Windows Update service, and using media (i.e., DVD/UB).
We recommend the customer use the FreeFlow Print Server Update Manager or
Microsoft Windows Update method if they wish to perform install on their own.
This empowers the customer to have the option of installing these patch
updates as soon as they become available, and not need to rely on the Xerox
Service team. Many customers do not want the responsibility of installing the
quarterly Security Patch Update or they are not comfortable providing a
network tunnel to the Xerox or Microsoft servers that store the Security Patch
Update. In this case, the media install method is the best option under those
circumstances.
3.1 Update Manager Delivery
The Update Manager is a GUI tool on the FreeFlow Print Server platform used to
check for Security updates, download Security updates, and install Security
updates. The customer can install quarterly FreeFlow Print Server Security
Patch Updates using the Update Manager UI, or schedule Xerox Service to
perform the install.
Once the Security patches are ready for customer delivery, they are available
from the Xerox Edge Host and Download servers. Procedures are available for
the FreeFlow Print Server System Administrator or Xerox Service for using the
Update Manager GUI to download and install the Security patches over the
Internet. The Update Manager UI has a Check for Updates button that can be
selected to retrieve and list patch updates available from the Xerox patch
server. When this option is selected the latest Security Patch Update should
be listed (E.g., October 2019 Security Patch Update for FFPS v2 / Windows 10)
as available for download and install. The Update Manager UI includes mouse
selectable buttons to download and then install the patches.
Xerox uploads the FreeFlow Print Server Security Patch Update to a Xerox patch
server that is available on the Internet outside of the Xerox Corporate
network once the deliverable has been tested and approved. Once in place on
the Xerox server, a CSE/Analyst or the customer can use the Update Manager UI
to download and install on the FreeFlow Print Server platform.
The customer proxy information is required to be setup on the FreeFlow Print
Server platform so it can access to the Security Patch Update over the
Internet. The FreeFlow Print Server platform initiates a secure communication
session with the Xerox patch server using HTTP over the TSL 1.0 protocol
(HTTPS on port 443) using an RSA 2048-bit certificate, SHA2 hash and AES
256-bit stream encryption algorithms.
This connection ensures authentication of the FreeFlow Print Server platform
for the Xerox server, and sets up encrypted communication of the patch data.
The Xerox server does not initiate or have access to the FreeFlow Print Server
platform behind the customer firewall. The Xerox server and FreeFlow Print
Server system both authenticate each other before making a connection between
the two end-points, and patch data transfer.
3.2 DVD/USB Media Delivery
Xerox uploads the FreeFlow Print Server Security Patch Update to a secure SFTP
site that is available to the Xerox Analyst and Service once the deliverables
have been tested and approved. The FreeFlow Print Server patch deliverables
are available as a ZIP archive or ISO image file, and a script used to perform
the install. The Security Patch Update installs by executing a script, and
installs on top of a pre-installed FreeFlow Print Server software release. The
install script includes options to install the Security Patch Update directly
from DVD/USB media or from the FreeFlow Print Server internal hard disk. A PDF
document is available with procedures to install the Security Patch Update
using the DVD/USB media delivery method upon request.
If the Analyst supports their customer performing the Security Patch Update,
then they must provide the customer with the Security Patch Update install
document and the Security update deliverables. This method of Security Patch
Update install is not as convenient or simple for customer install as the
network install methods offered by Update Manger.
See the Security Patch Update deliverable filenames and sizes in the table
below:
Security Patch Update File Windows(R) File Size Size in Bytes
(K-bytes)
FFPSv2-Win10_SecPatchUpdate_Oct2019.zip 3,171,656 3,247,775,192
FFPSv2-Win10_SecPatchUpdate_Oct2019.iso 3,172,006 3,248,134,144
3.3 Windows Update Delivery
Windows Update services enables information technology administrators to
deploy the latest Microsoft product updates to computers that are running the
Windows operating system. By using Windows Update service, administrators can
fully manage the distribution of updates released through Microsoft Update to
FreeFlow Print Server platforms on their network.
Microsoft uploads the Patch Updates to a server that is available on the
Internet outside of the Microsoft Corporate network once patch deliverables
have been tested and approved. Installing the Security patches directly from
Microsoft using the Windows Update service brings some risk given they have
not been tested by Xerox on the FreeFlow Print Server platform. It is required
that the customer proxy server information be configured on the FreeFlow Print
Server platform so that the Windows Update service can gain access to the
Microsoft server over the Internet outside of the customer network. Xerox is
not responsible for the Security of the connection to the Microsoft patch
server.
We recommend manually performing a FreeFlow Print Server System Backup and a
Windows Restore Point backup just prior to checking for the Windows patch
updates and installing them. This will give assurance of FreeFlow Print Server
system recovery if the installed Security patches create a software problem or
results in the FreeFlow Print Server software becoming inoperable. The
Security Patch Update makes changes to only the Windows 10 OS system, and not
the FreeFlow Print Serversoftware. Therefore, the restore of a Windows Restore
Point (prior to patch install) will reverse install of the Security Patch
Update if recovery is required, and is much faster than the full FreeFlow
Print Server System Restore. We recommend performing a full FreeFlow Print
Server System Backup for redundancy purposes in case the checkpoint restore
does not work. The only option for FreeFlow Print Server system recovery may
be the FreeFlow Print Server System Backup if the system should become
inoperable such that Windows is not stable. Make sure to store the FreeFlow
Print Server System backup onto a remote storage location or DVD/USB media.
4.0 Disclaimer
The information provided in this Xerox Product Response is provided "as is"
without warranty of any kind. Xerox Corporation disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Xerox Corporation be
liable for any damages whatsoever resulting from user's use or disregard of
the information provided in this Xerox Product Response including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Xerox Corporation has been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential damages so the foregoing limitation may not apply.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXdH06GaOgq3Tt24GAQhhqQ/+NNexARtazR+halX61xuOIfK1RDopMxrv
y8c2bcLhn0RpWN+j5uuafpK1wzBgNMI8MQwEPmqah8/LReKpnJQOVQ+Io7bCMBd4
Uh9ygyQtdwHeDvTCbZf1jPq5xf802efLkldjITgzu8yIRjK3DhoTofzDkKPjAOzf
890L5PYsuUIbUW+xgi9GaEPP5n3PQZTEpuD2z/mtaG1mbtiIJLGgQclFqtB5xy1n
g29Uxvhd9HAJE/iwFy6GZ5/JhRXOtSmCD4cGe66tXYzQ87FJjipbnSVCvl3COoI6
0OF0DtyPiLP8rode/gQ3XCy0kVDgsJ7RIYzYD4ILNp47IUBIBJSDLnaOVTALBMXY
fRgP1Ypqu9FAUOt4eL1rT3dIRmArs8xVA9VcyQiU2AvMtDrvTVBITvNU8Vde9ycw
eA/ikcJqzhKE1sr2qbvb7Uige8XevsSqL8r0UdFhvVtQRAfGBFb9v3/XXzCw3K+D
HcdnyNgvBGydB1E+ghOSUO31YbnvZefs+LC4E7qv7CCON/oOr+Xm2LW+ry/yTtts
s8fVgnTytnCNgIfzauzeXn6GdDe+VGwBcsyaTiCjLxnDOLOcOY2hL2gEcDaOP0Ds
f/V7IJlZSWDbCxFFWnSlGB83GIgXReRVFQACvIlgEhoil+tRc+gBNco9HUdBr/q6
8EvFAugbbMY=
=zA4f
-----END PGP SIGNATURE-----