Updates for security vulnerabilities in Xerox printers
Xerox has fixed a number of security vulnerabilities with the release of a software update for printers in the WorkCentre and WorkCentre Pro series. An attacker could exploit the vulnerabilities to execute arbitrary commands on the printers.
The updates fix a number of bugs on the affected printers. Vulnerabilities in the processing of entered TCP/IP host names, in configuration parameters for Microsoft networking on the web user interface and the scan to mailbox folder name field can be used to infiltrate programs, for example: to install an FTP service. Scan to mailbox can be exploited by anonymous users to download protected files from the printer.
Browser permissions could allow access without the required privileges. If automatic configuration over TFTP and BOOTP is active, they may allow an attacker to change settings without the required privileges. Queries to the web service can run directly over HTTP instead of a secure HTTPS connection.
Xerox WorkCentre and WorkCentre Pro printers with model numbers 232, 238, 245, 255, 265 and 275 are affected. Software versions 12.060.17.000, 14.060.17.000 and 13.060.17.000 fix the problems. Xerox recommends that administrators install the new versions urgently.
- XEROX SECURITY BULLETIN XRX06-006(PDF), bulletin on the security vulnerabilities from Xerox
- Download the updated printer software
(trk)