BugTraq
Back to list
|
Post reply
Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
Mar 04 2003 10:24AM
Sven Pechler (helpdesk tm tue nl)
In-Reply-To: <3E63BA9C.3000303 (at) satx.rr (dot) com [email concealed]>
Hello Geoff,
Thank you for your reply.
Some reactions on your statements:
1. I've tested the SNMP 'set community name'. None responded
to 'internal' after I changed it to something else.
You are right when you mean the SNMP 'GET community name', that one can't
be changed.
2. I'm not suggesting to keep the Web Server (EWS) password empty, only
the 'Web Jetadmin (WJA) device password'.
But you are right with the newer JetDirect cards (610N and higher). In
those cards the 'Web Jetadmin device password' is equal to the EWS
password (and also equal to the telnet password).
In the 'older' JetDirect cards (600N and older), the 'WJA device password'
has nothing to do with the EWS password (they can even be different). The
WJA device password is just stored in a reserved place in the devices'
NVRAM and can only be used by the WJA.
I have tested your suggesting by disabling the EWS (ews-config:0). The
EWS shows now the message '404 not found'. But when I place a device
password using WJA, the password is again readable in ASCII text using
SNMP. So it won't help.
And you are right about the raw ascii string; I made a typo in that one.
Regards,
University of Technology Eindhoven
Faculty of Technology Management
Sven Pechler
---------
>Date: Mon, 03 Mar 2003 14:27:08 -0600
>From: "snooper (at) satx.rr (dot) com [email concealed]" <snooper (at) satx.rr (dot) com [email concealed]>
>To: Sven Pechler <helpdesk (at) tm.tue (dot) nl [email concealed]>, bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: RE: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin
>
>Sven,
>
>I have been doing some research on the same issue, and it appears that
>some of the new firmware versions from HP actually fix this
>vulnerability by replacing the web server with a newer version that
>doesn't rely on client-side java to verify the password.
[..snip..]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hello Geoff,
Thank you for your reply.
Some reactions on your statements:
1. I've tested the SNMP 'set community name'. None responded
to 'internal' after I changed it to something else.
You are right when you mean the SNMP 'GET community name', that one can't
be changed.
2. I'm not suggesting to keep the Web Server (EWS) password empty, only
the 'Web Jetadmin (WJA) device password'.
But you are right with the newer JetDirect cards (610N and higher). In
those cards the 'Web Jetadmin device password' is equal to the EWS
password (and also equal to the telnet password).
In the 'older' JetDirect cards (600N and older), the 'WJA device password'
has nothing to do with the EWS password (they can even be different). The
WJA device password is just stored in a reserved place in the devices'
NVRAM and can only be used by the WJA.
I have tested your suggesting by disabling the EWS (ews-config:0). The
EWS shows now the message '404 not found'. But when I place a device
password using WJA, the password is again readable in ASCII text using
SNMP. So it won't help.
And you are right about the raw ascii string; I made a typo in that one.
Regards,
University of Technology Eindhoven
Faculty of Technology Management
Sven Pechler
---------
>Date: Mon, 03 Mar 2003 14:27:08 -0600
>From: "snooper (at) satx.rr (dot) com [email concealed]" <snooper (at) satx.rr (dot) com [email concealed]>
>To: Sven Pechler <helpdesk (at) tm.tue (dot) nl [email concealed]>, bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: RE: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin
>
>Sven,
>
>I have been doing some research on the same issue, and it appears that
>some of the new firmware versions from HP actually fix this
>vulnerability by replacing the web server with a newer version that
>doesn't rely on client-side java to verify the password.
[..snip..]
[ reply ]