search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP LaserJet Professional printer telnet debug shell vulnerability

Vulnerability Note VU#782451

Original Release Date: 2013-03-11 | Last Revised: 2013-03-11

Overview

Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

Description

Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

For additional vulnerability information and a list of affected devices see HP Security Bulletin HPSBPI02851 SSRT101078.

Impact

A remote unauthenticated attacker can connect to the telnet debug shell and gain unauthorized access to data.

Solution

Update

HP has provided updated printer firmware to resolve this issue. Firmware download information can be found in HP Security Bulletin HPSBPI02851 SSRT101078.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information

782451
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  January 09, 2013 Updated:  March 08, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:N/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:UC
Environmental 1.6 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Christoph von Wittich of Hentschke Bau GmbH for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-5215
Date Public: 2013-03-06
Date First Published: 2013-03-11
Date Last Updated: 2013-03-11 12:39 UTC
Document Revision: 8

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.