COMMAND

    multivarible SNMP query

SYSTEMS AFFECTED

    HP 5 series firmware less than 19960829

PROBLEM

    Ben previously  reported that  you could  crash HP  5m printers by
    doing a multivarible SNMP query on the interpreters table.  He has
    since found  a similar  problem that  applies to  all HP  5 series
    printers  whose  firmware  datecode  is  less  than 19960829.  The
    easiest way to figure out if your printer is affected is to use  a
    snmptool such as those from UC Davis from:

        http://www.ece.ucdavis.edu/ucd-snmp/

    and try the command:

        snmpget printername public 43.15.1.1.4.1.1

    The easiest  way to  manifest the  bug is  to use  a program  like
    npadmin from:

        http://www.penguincomputing.com/prtools/npadmin.html

    and try to examine a large table like the interpreters or channels
    table:

        npadmin --languages printername

    or

        npadmin --protocol printername

    The bug leaves  the printer in  different conditions depending  on
    the JetDirect  firmware revision,  the model  of the  printer, and
    possibly the state of  the printer at the  time of the attack.  In
    many cases it leaves the printer with a 79(12BF) or 79(9208) error
    but still pingable. In this state it may even accept one print job
    but  not  print  it.  In  other  cases,  ther error message in the
    display is missing. In a few cases the printer is left unpingable.

    The problem seems to be independant of the JetDirect hardware  and
    firmware revision and so doing a flash upgrade will not solve  the
    problem.   The problem  seems to  be due  to a  bug in the printer
    firmware, often  times called  the formwatter,  which crashes when
    certain multivariable  SNMP queries  are executed.   Upgrading the
    formatter  software  involves  replacing  some hardware within the
    printer and so this can not be trivially done.

SOLUTION

    Ben reported this bug to HP  and they believe that it is  the same
    bug that  causes all  HP 5m's  to crash  on certain  multivariable
    queries. They are  in the process  of preparing a  JetDirect flash
    upgrade that works around the bug in the formatter.