It appears that HP JetDirect firmware is more susceptible to SNMP vulnerabilities than originally referenced in the CERT Advisory CA-2002-03 (http://www.cert.org/advisories/CA-2002-03.html). Some basic testing with Protos on an internal network seems to indicate that devices with JetDirect firmware x.08.32 crash each time a single malformed SNMP packet is received. The HP Download Manager for JetDirect reports that the printer software is up-to-date. On the hardware I tested, the packet generated an "EIO" error and required the device to be powered off to recover. Control panel input was not available. The packet can be generated using the req-enc protos test with the options "-zerocase -showreply -single 13771". The protos test name is "set-req-ber-l-length" in the category of "Invalid BER length (L) fields". The TCPDump trace is: 15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161: SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv" 15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161: GetRequest(25) .1.3.6.1.2.1.1.5.0 As an interesting side note, Ethereal (a popular open source sniffer / traffic analyzer) crashes every time it sees this packet also. It gives the error "GLib-ERROR **: could not allocate -1 bytes aborting...". This testing has been very limited (only LaserJet 4si and 8150 series printers were tested), so please post your test results Bugtraq.
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 15:56:44 PST