lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20111110090436.GA2095@hanuman.astro.su.se>
Date: Thu, 10 Nov 2011 10:04:37 +0100
From: Sergio Gelato <Sergio.Gelato@...ro.su.se>
To: percx@...fus.net
Cc: bugtraq@...urityfocus.com
Subject: Re: foofus.net security advisory - Lexmark Multifunction Printer
 Information Leakage

* percx@...fus.net [2011-11-07 15:32:47 +0000]:
> 2. Description:
> 
> Passwords can be extracted in plan text from the settings export file.
> http://hostname-IP_Address/cgi-bin/exportfile/printer/config/secure/settingfile.ucf
> 
> ============================================================================
> 
> 4. Affected Products:
> Lexmark X656de multifunction printer (Kernel=FPR.APS.F184-0, Base=LR.MN.P224a-0)
> Other Lexmark and Dell branded Multifunction printers may also be vulnerable

Might this not have been fixed by the following change in firmware P311e2,
which was released in April 2010 and advertised as fixing various CVEs?
     3) Security related UCF keys can now be imported/exported from the 
        embedded web server.

What I see on an X65x running P510 is that security-related keys are now
in authfile.ucf, authentication is required in order to download that (if one
has configured authentication; hopefully those who haven't done so also haven't
stored any sensitive information in the device), and some passwords are
deliberately not included in the file (presumably because they cannot be
stored as one-way hashes). Of course that doesn't prove that all possible
configurations are now safe but it is a hint that the issue may already
have been taken care of.

> ============================================================================
> 
> 5. Solution:
> 
>    Insure that a complex password is set on printer.

Really? How does that help against password leakage? 

And why not recommend, or at least mention the possibility of, a firmware 
upgrade? P311e2, P413c and P510/P510b all contain security fixes, and you 
haven't claimed that the latest firmware was still vulnerable. It would have
been interesting to check.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ