COMMAND

    TCP/IP

SYSTEMS AFFECTED

    HP DirectJet

PROBLEM

    This problem is based on  ISS Security Advisory.  Even  though the
    JetDirect cards are not subject to syn flooding per se, due to the
    single threaded TCP/IP stack, even a single SYN packet can lock up
    the older  interface for  a significant  period of  time (tens  of
    seconds  to  as  much  as  a  minute).   Thus  the  printer can be
    subjected to  a denial  of service  attack by  slowly dripping SYN
    packets  with  non-  responding  "from"  addresses directed to the
    older JetDirect interface.  If  this is directed at more  than one
    of  the  JetDirect  ports,  the  interface  may lock up, as in the
    repeated rapid port scanning DoS described below.

    Some scanning tools use parallel port scanning to improve scanning
    speed.  Parallel scanning of multiple ports on the older JetDirect
    cards has a high probability  of causing a complete lockup  of the
    JetDirect  network  interface.   The  fact  that  the  DoS  is not
    deterministic, and  the failure  rate is  highly dependent  on the
    timing and  speed of  the scan,  indicates that  this is  a timing
    window  or  race  condition  in  the  TCP/IP  stack  on  the older
    JetDirect.  Rapidly scanning ports 9099 and 9100 can very  quickly
    cause this failure,  and scanning 9099  and 9100 from  a low order
    port such  as port  20 (ftp  data) could  slip past some filtering
    firewalls.

    The default SNMP community names on the older JetDirect cards  and
    servers allow for very rapid identification of vulnerable printers
    which may be  subjected to these  various attacks.   The community
    names on  the JetDirect  cards should  be changed.   On some older
    versions of the JetDirect interfaces, changing the SNMP  community
    names added the new community names, but the interface would still
    respond to  the old  community name.   While SNMP  community names
    should not  be considered  secure, these  older cards  may give  a
    false sense of protection or behavior.

SOLUTION

    As for  flooding, newer  multi-threaded versions  of the JetDirect
    interfaces are not vulnerable to this problem.

    As  for  scanning  problem  may  still  be  present, but much more
    difficult  to  exploit,  in   newer  versions  of  the   JetDirect
    interfaces and newer JetDirect print servers.

    As  for  SNMP  problem  with  not  being able to disable the older
    community name is not present  in newer versions of the  JetDirect
    interfaces.