This might surprise some, but printers need patching too. The rule of thumb you should use is if it has an IP address, then it can be vulnerable and will most likely require a patch at some point in time.
SANS handler’s diary has just published such a story – Time to patch your HP printers. The actual HP bulletin is here. Looks like PC Advisor also picked up the story.
The easiest way to do the firmware upgrade is to use HP’s Web Jetadmin. Using Web Jetadmin, you can discover all your printers on your LAN and remotely do firmware upgrades.
Although this vulnerability only allows the bad guys to access any files on the printer (and therefore view previously printed documents), I can foresee printers being used as a staging point for more serious things. The reason is that printers have not received the same amount of scrutiny that workstations/serves have and most likely are softer targets. As well, printers do not run anti-virus or other kind of defensive software. So what should you do? Here are a few things that will harden your printers:
- Use a central management console like Web Jetadmin. This will allow you to discover any new printers added and to easily deploy the latest firmware.
- Keep up with the firmware releases. This is probably a difficult one to do, especially if you use printers from a number of vendors. You should at least do a round of patching once a year.
- Scan your printers for vulnerabilities. Make sure to use a tool that can differentiate between a printer device and a workstation. If it doesn’t, scanning can lead to lockups and rebooting of your printers. Not so good if it’s in the middle of printing a big color job by your boss. Nessus scanner is one such scanner. Be warned that scanning your printer will probably cause it to print a few pages.
If anyone else has anything else that they do to harden their printers, please use the comments below.
Great! As if it wasn’t tough enough to keep all pc patched in a corporation.