Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0230
Xerox announces mitigation for man-in-the-middle attacks on
CBC mode cipher suites
12 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xerox products
Operating System: Printer
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Mitigation
Member content until: Wednesday, September 11 2019
OVERVIEW
Xerox have announced mitigation steps for man-in-the-middle attacks
against certain products via certain cipher suites employing
Cipher-Block-Chaining mode.
Xerox classifies this mitigation as Critical. [1]
IMPACT
Xerox advises the following:
"Servers that utilize TLS1.0, TLS1.1, and TLS1.2 with
Cipher-Block-Chaining mode cipher suites enabled are susceptible to
man-in-the-middle attacks that exploit MAC padding." [1]
The mitigation steps mentioned below apply to the
network-connected versions of the following products:
Xerox WorkCentre: 5325, 5330, 5335
Xerox Color: 550, 560, C60, C70
Xerox: D95, D95A, D110, D125, D136
Xerox Versant: 180, 3100
Xerox VersaLink: all devices [1]
MITIGATION
Xerox advises:
"To mitigate this vulnerability on Xerox print systems that do not support
disabling CBC mode ciphers make sure that the device is setup in a secure
environment. In addition:
1. Ensure the system is behind a network firewall.
2. Provide physical security controls to limit access to the network from an
internal location.
3. Always install the most current software/firmware versions. For Xerox print
systems that do support disabling CBC ciphers, make sure that the servers
communicating with these Xerox print systems are configured to disallow use of
CBC mode." [1]
REFERENCES
[1] Xerox Security Bulletin XRX19-015
https://security.business.xerox.com/wp-content/uploads/2019/07/cert_XRX19-015-v1.2.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVDj/WaOgq3Tt24GAQgMOhAAp4up3qNJRnkOeA2+OHfVSnWYyJDL7Qwn
50XFE6EgIe6514tEYNQQ5D1ID4/Pxe+XDw9REjYIwe+je2n2VidxXRr4VreIZOr5
4BJC6T7SV3AbgJ4GcpavTV5Y9M17jsxzDJ3VWUhBaMsf4J0tN4LQ6V+HFt5P53HK
Z43zmydhteEiM/i33fiBeF/ulnXnDDmewcLEtoqjruk0eJm8q51m3nlMAZCM3Xvd
gIT/So4xN01J1A8NUoTSdbu9Fmk1IkSaTq/elw7iczyiCr9Ceymf9YBvQDUaaG8i
+5oVj5Cc/l+vVTEJItYwq95d/+ueKsl/v8B/wB4i3tRX/Y5ilHFEfpcx6Iu5BKEz
huIjjrr2GXmBkPC/4njAsQCT75qNJ56J2Pc2RbY/f0zKvuDaO6TiajWJdAqMSNVe
oN0BS5ZkvSZTpfBoRpW0NXRCFZbS+6xAB9Da0k8K2Rb9xAt9aj/I/xRVX6BqnCj2
ColkC7a1IbakwLbMpjtlQWDexWfJ/VUJN7S5k2VhstPqQ7ZrzAvJ5+I5RgWqTFwU
Eu6rOjFusCuoGCzDxa6M8EcVLtrQto4MzEuLnMngVHAH2wxuabyesApZceXdrcI8
EAbeWT162bs70WnWUfF5Q+PsoLGggkfFtvhMsKIqeVe/lL/vzu/NYTrApyG9EzIL
LPd+L/Niazs=
=Xqj2
-----END PGP SIGNATURE-----