-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Vulnerability Note VU#737740 Fiery EXP260 2.0 print
controllers use a vulnerable version of OpenSSL
20 March 2013
AusCERT Security Bulletin Summary
Product: Xerox DocuColor 242-252-262 printers
Operating System: Printer
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2013-0169 CVE-2013-0166 CVE-2012-2333
CVE-2012-0884 CVE-2011-4619 CVE-2011-4577
CVE-2011-4576 CVE-2011-4109 CVE-2011-4108
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#737740
Fiery EXP260 2.0 print controllers use a vulnerable version of OpenSSL
Original Release date: 18 Mar 2013 | Last revised: 19 Mar 2013
Fiery EXP260 2.0 print controllers used in Xerox DocuColor 242-252-262 printers
use a vulnerable version of OpenSSL (0.9.8o).
Xerox DocuColor 242-252-262 printers are known to use the Fiery EXP260 2.0
print controller. The Fiery EXP260 2.0 print controller uses OpenSSL for
SSL/TLS encryption. The version of OpenSSL that comes with the Fiery EXP260
2.0 print controller is 0.9.8o that is out of date and known to be vulnerable.
A remote attacker may be able to cause a denial of service or possibly run
Apply an Update
Apply patch 1-1IJ6ZK. The patch will upgrade OpenSSL to version 0.9.8x. Patch
1-1IJ6ZK can be obtained from Xerox tech support.
As a general good security practice, only allow connections from trusted hosts
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
EFI Affected 18 Dec 2012 18 Mar 2013
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 6.9 AV:A/AC:M/Au:N/C:P/I:P/A:C
Temporal 5.1 E:U/RL:OF/RC:C
Environmental 1.0 CDP:L/TD:L/CR:L/IR:L/AR:L
Thanks to Curtis Rhodes for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: CVE-2013-0169 CVE-2013-0166 CVE-2012-2333 CVE-2012-0884 CVE-2011-4619
CVE-2011-4577 CVE-2011-4576 CVE-2011-4109 CVE-2011-4108 CVE-2010-4180
Date Public: 18 Mar 2013
Date First Published: 18 Mar 2013
Date Last Updated: 19 Mar 2013
Document Revision: 25
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----