13. Printers with a Mind of their Own?

We are aware of several cases in recent days of unexpected output appearing on networked printers around the University. In general these appear to result from network scans by systems on the global internet and do not appear to be actively exploiting any vulnerability specific to printers. The output we’ve seen appears to be a standard HTTP probe for open proxies, interpretted by the printer as though it were raw text.

What this has revealed is that many printers are exposed to the global internet, often on several ports and in some cases ten or more. Port 515 (lpd) is blocked at the University’s external gateway, but many other ports commonly used by printers, such as port 80 (HTTP, commonly used for printer management) and 9100 (HP JetDirect), are unrestricted. There are no immediate plans to introduce further restrictions at the University’s external gateway.

Where possible, we recommend limiting access to printers to permitted hosts only, for instance at local firewalls. If no firewall is in place, or as an additional safeguard, many printers permit use of basic IP-based access controls, as well as disabling of unused services. Be aware that in some cases, there may be a need to submit print jobs from outside the local network (for instance, from Oracle Financials), and that some users may have got used to printing from remote locations.

Additionally, we recommend use of strong administrative passwords, and where possible, restricting administrative access to encrypted protocols only.

Please note: as of 2011-09-20, port 80 (http) is no longer blocked at the University firewall. Devices listening on this port will be open to the world unless local access controls are in place. Port 515 (lpd) remains blocked at the University’s external gateway.

More OxCERT Security Bulletins.

Up: Contents Previous: 12. Media Production Unit Joins OUCS Next: 14. Research Skills Toolkit