10 May 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1441 Xerox FreeFlow Print Server patched 10 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox FreeFlow Print Server Publisher: Xerox Operating System: Windows Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Create Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5148 CVE-2018-5147 CVE-2018-5146 CVE-2018-5143 CVE-2018-5142 CVE-2018-5141 CVE-2018-5140 CVE-2018-5138 CVE-2018-5137 CVE-2018-5136 CVE-2018-5135 CVE-2018-5134 CVE-2018-5133 CVE-2018-5132 CVE-2018-5131 CVE-2018-5130 CVE-2018-5129 CVE-2018-5128 CVE-2018-5127 CVE-2018-5126 CVE-2018-5125 CVE-2018-5122 CVE-2018-5121 CVE-2018-5119 CVE-2018-5118 CVE-2018-5117 CVE-2018-5116 CVE-2018-5115 CVE-2018-5114 CVE-2018-5113 CVE-2018-5112 CVE-2018-5111 CVE-2018-5110 CVE-2018-5109 CVE-2018-5108 CVE-2018-5107 CVE-2018-5106 CVE-2018-5105 CVE-2018-5104 CVE-2018-5103 CVE-2018-5102 CVE-2018-5101 CVE-2018-5100 CVE-2018-5099 CVE-2018-5098 CVE-2018-5097 CVE-2018-5095 CVE-2018-5094 CVE-2018-5093 CVE-2018-5092 CVE-2018-5091 CVE-2018-5090 CVE-2018-5089 CVE-2018-2815 CVE-2018-2814 CVE-2018-2811 CVE-2018-2800 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2794 CVE-2018-2790 CVE-2018-1038 CVE-2018-0870 CVE-2017-8635 CVE-2017-8618 CVE-2017-8607 CVE-2017-8606 CVE-2017-8589 CVE-2017-8578 CVE-2016-3485 CVE-2016-3297 CVE-2015-2465 CVE-2015-2454 CVE-2015-2381 CVE-2014-6354 Reference: ESB-2018.1251 ESB-2018.1054 ESB-2018.1044 ESB-2018.0775 ESB-2018.0258 ESB-2016.2653 ESB-2016.1929 ESB-2016.1857 ESB-2015.1860 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2018/05/cert_XRX18-015_FFPSv2_Standalone_May2018.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX18-015 XeroxÃ‚Â® FreeFlowÃ‚Â® Print Server v2 Standalone Supports: XeroxÃ‚Â® iGenÃ‚Â®5 Press and XeroxÃ‚Â® BrenvaTM HD Production InkJet Printer Products Patch Version: April 2018 Security Patch Update Includes: Java 8 Update 172, and Firefox v59.0.2 Patches Bulletin Date: May 8, 2018 1.0 Background MicrosoftÃ‚Â® responds to US CERT advisory council notifications of Security vulnerabilities referred to as Common Vulnerabilities and Exposures (CVEÃ¢Â€Â™s) and develops patches that remediate the Security vulnerabilities that are applicable to WindowsÃ‚Â® 7 and components (e.g., WindowsÃ‚Â® ExplorerÃ‚Â®, .Net FrameworkÃ‚Â®, etc.). The FreeFlowÃ‚Â® Print Server organization has a dedicated development team, which actively reviews the US CERT advisory council CVE notifications, and delivers Security patch updates from MicrosoftÃ‚Â® to remediate the threat of these Security risks for the FreeFlowÃ‚Â® Print Server v2 / WindowsÃ‚Â® v7 Standalone platform. The FreeFlowÃ‚Â® Print Server organization delivers Security Patch Updates on the FreeFlowÃ‚Â® Print Server v2 / WindowsÃ‚Â® v7 Standalone platform by the FreeFlowÃ‚Â® Print Server organization on a quarterly (i.e., 4 times a year) basis. The FreeFlowÃ‚Â® Print Server engineering team receives new patch updates in January, April, July and October, and will test them for supported Printer products (such as the XeroxÃ‚Â® iGenÃ‚Â®5 Press) prior to delivery for customer install. XeroxÃ‚Â® tests FreeFlowÃ‚Â® Print Server operations with the patch updates to ensure there are no software issues prior to installing them at a customer location. Alternatively, a customer can use WindowsÃ‚Â® Update to install patch updates directly from MicrosoftÃ‚Â®. If the customer manages their own patch install, the Xerox support team can suggest options to minimize the risk of FreeFlowÃ‚Â® Print Server operation problems that could result from patch updates. This bulletin announces the availability of the following: 1. April 2018 Security Patch Update This supersedes the January 2018 Security Patch Update 2. Java 8 Update 172 Software This supersedes Java 8 Update 162 3. Firefox v59.0.2 Software This supersedes Firefox v57.0.3 See the US-CERT Common Vulnerability Exposures (CVE) the Java 8 Update 172 Software remediate in table below: Java 8 Update 172 Software Remediated US-CERT CVEÃ¢Â€Â™s CVE-2016-3485 CVE-2018-2794 CVE-2018-2796 CVE-2018-2798 CVE-2018-2800 CVE-2018-2814 CVE-2018-2790 CVE-2018-2795 CVE-2018-2797 CVE-2018-2799 CVE-2018-2811 CVE-2018-2815 See US-CERT Common Vulnerability Exposures (CVE) the April 2018 Security Patch Update remediate in table below: April 2018 Security Patch Update Remediated US-CERT CVEÃ¢Â€Â™s CVE-2014-6354 CVE-2018-0870 CVE-2018-5099 CVE-2018-5110 CVE-2018-5122 CVE-2018-5135 CVE-2015-2381 CVE-2018-1038 CVE-2018-5100 CVE-2018-5111 CVE-2018-5125 CVE-2018-5136 CVE-2015-2454 CVE-2018-5089 CVE-2018-5101 CVE-2018-5112 CVE-2018-5126 CVE-2018-5137 CVE-2015-2465 CVE-2018-5090 CVE-2018-5102 CVE-2018-5113 CVE-2018-5127 CVE-2018-5138 CVE-2016-3297 CVE-2018-5091 CVE-2018-5103 CVE-2018-5114 CVE-2018-5128 CVE-2018-5140 CVE-2017-8578 CVE-2018-5092 CVE-2018-5104 CVE-2018-5115 CVE-2018-5129 CVE-2018-5141 CVE-2017-8589 CVE-2018-5093 CVE-2018-5105 CVE-2018-5116 CVE-2018-5130 CVE-2018-5142 CVE-2017-8606 CVE-2018-5094 CVE-2018-5106 CVE-2018-5117 CVE-2018-5131 CVE-2018-5143 CVE-2017-8607 CVE-2018-5095 CVE-2018-5107 CVE-2018-5118 CVE-2018-5132 CVE-2018-5146 CVE-2017-8618 CVE-2018-5097 CVE-2018-5108 CVE-2018-5119 CVE-2018-5133 CVE-2018-5147 CVE-2017-8635 CVE-2018-5098 CVE-2018-5109 CVE-2018-5121 CVE-2018-5134 CVE-2018-5148 Note: XeroxÃ‚Â® recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Update. The customer can manage their own Security Patch Updates using WindowsÃ‚Â® Update services, but we recommend checking with Xerox Service to reduce risk of installing patches that have not tested by XeroxÃ‚Â®. 2.0 Applicability This April 2018 Security Patch Update (including Java 8 Update 172 software, and Firefox v59.0.2 Patches) is available for the FreeFlowÃ‚Â® Print Server v2 Software Release running on WindowsÃ‚Â® v 7 OS. The FreeFlowÃ‚Â® Print Server software releases tested with the April 2018 Security Patch Update installed per printer products is illustrated below: We have not tested the April 2018 Security Patch Update on all earlier FreeFlowÃ‚Â® Print Server v2 releases, but there should not be any problems on those releases. 2.1 Available Patch Update Install Methods XeroxÃ‚Â® offers the Security Patch Update delivery available over the network from a Xerox server using an application called FreeFlowÃ‚Â® Print Server Update Manager. The use of Update Manager (GUI-based application) makes it simple for a customer to install Security patch updates. Downloading and installing Security Patch Updates using the Update Manager has the advantage of Ã¢Â€Âœease of useÃ¢Â€Â as it involves accessing the Security Patch Update from a Xerox Server over the network. In addition, the FreeFlowÃ‚Â® Print Server Security Patch Update is available for a delivery method using media (DVD/USB) for the install. The FreeFlowÃ‚Â® Print Server customer schedules a Xerox Analyst or Service Engineer (CSE) to install the Security Patch Update at the customer account. The Analyst/CSE can choose to work with a customer, and allow them to install the Security Patch Updates from DVD/USB media. Printer Product Patch Update Tested Releases iGenÃ‚Â®5 Press CP.22.1.17236.0 CP.23.0.18058.0 BrenvaTM Printer CP.22.1.17282.0 A customer can also manage Security Patch Updates from a MicrosoftÃ‚Â® server on their own using WindowsÃ‚Â® Update service built into the Operating System. This is a GUI-based application used to schedule automatic patch updates, or to perform manual updates selecting a Ã¢Â€Â˜Check for UpdatesÃ¢Â€Â™ option. This method has the advantage of retrieving Security patches at the soonest time possible. It also has most risk given the install of these Security patches directly from MicrosoftÃ‚Â® untested on the FreeFlowÃ‚Â® Print Server platform by XeroxÃ‚Â®. 2.2 Security Considerations Security of the network, devices and information on a customer network may be a consideration when deciding whether to use the DVD/USB, FreeFlowÃ‚Â® Print Server Update Manager or WindowsÃ‚Â® Update method of Security Patch Update delivery and install. When using Update Manager, the external Xerox server that includes the Security Patch Update does not have access to the FreeFlowÃ‚Â® Print Server platform at a customer site. The FreeFlowÃ‚Â® Print Server platform (using Update Manager) initiates all communication to download the FreeFlowÃ‚Â® Print Server Security Patch Update, and the communication is Ã¢Â€ÂœsecureÃ¢Â€Â by TLS 1.0 over HTTPS (port 443) with the Xerox communication server. This communication uses an RSA 2018-bit certificate, SHA2 hash and AES 256-bit stream encryption algorithms. This connection ensures authentication of the FreeFlowÃ‚Â® Print Server platform for the Xerox server, and sets up encrypted communication of the patch data. The Xerox server does not initiate or have access to the FreeFlowÃ‚Â® Print Server platform behind the customer firewall. The XeroxÃ‚Â® server and FreeFlowÃ‚Â® Print Server system both authenticate each other before making a connection between the two end-points, and patch data transfer. Delivery and install of the Security Patch Update using Update Manager may still be a concern for some highly Ã¢Â€ÂœsecureÃ¢Â€ÂcustomerlocationssuchasUSFederalandStateGovernmentsites. Alternatively,deliveryandinstallof Security Patch Updates from DVD/USB media may be more desirable for these highly Security sensitive customers. They can perform a Security scan of the DVD/USB media with a virus protection application prior to install. If the customer does not allow use of DVD/USB media for devices on their network, you can transfer (using SMB, SFTP, or SCP) the Security Patch Update to the FreeFlowÃ‚Â® Print Server platform, and then install. 3.0 Patch Install XeroxÃ‚Â® strives to deliver these critical Security Patch Updates in a timely manner. The customer process to obtain FreeFlowÃ‚Â® Print Server Security Patch Updates (delivered on a quarterly basis) is to contact the Xerox hotline support number. The methods of Security Patch Update delivery and install are over the network using FreeFlowÃ‚Â® Print Server Update Manager or directly from MicrosoftÃ‚Â® using WindowsÃ‚Â® Update service, and using media (i.e., DVD/UB). We recommend the customer use the FreeFlowÃ‚Â® Print Server Update Manager or MicrosoftÃ‚Â® WindowsÃ‚Â® Update method if they wish to perform install on their own. This empowers the customer to have the option of installing these patch updates as soon as they become available, and not need to rely on the Xerox Service team. Many customers do not want the responsibility of installing the quarterly Security Patch Update or they are not comfortable providing a network tunnel to the XeroxÃ‚Â® or MicrosoftÃ‚Â® servers that store the Security Patch Update. In this case, the media install method is the best option under those circumstances. 3.1 Update Manager Delivery The Update Manager is a GUI tool on the FreeFlowÃ‚Â® Print Server platform used to check for Security updates, download Security updates, and install Security updates. The customer can install quarterly FreeFlowÃ‚Â® Print Server Security Patch Updates using the Update Manager UI, or schedule Xerox Service to perform the install. Once the Security patches are ready for customer delivery, they are available from the Xerox Edge Host and Download servers. Procedures are available for the FreeFlowÃ‚Â® Print Server System Administrator or Xerox Service for using the Update Manager GUI to download and install the Security patches over the Internet. The Update Manager UI has a Ã¢Â€Â˜Check for UpdatesÃ¢Â€Â™ button that can be selected to retrieve and list patch updates available from the Xerox patch server. When this option is selected the latest Security Patch Update should be listed (E.g., April 2018 Security Patch Update for FreeFlowÃ‚Â® Print Server v2 Standalone) as available for download and install. The Update Manager UI includes mouse selectable buttons to download and then install the patches. XeroxÃ‚Â® uploads the FreeFlowÃ‚Â® Print Server Security Patch Update to a Xerox patch server that is available on the Internet outside of the XeroxÃ‚Â® Corporate network once the deliverable has been tested and approved. Once in place on the Xerox server, a CSE/Analyst or the customer can use the Update Manager UI to download and install on the FreeFlowÃ‚Â® Print Server platform. The customer proxy information is required to be setup on the FreeFlowÃ‚Â® Print Server platform so it can access to the Security Patch Update over the Internet. The FreeFlowÃ‚Â® Print Server platform initiates a Ã¢Â€ÂœsecureÃ¢Â€Â communication session with the Xerox patch server using HTTP over the TSL 1.0 protocol (HTTPS on port 443) using an RSA 2018-bit certificate, SHA2 hash and AES 256-bit stream encryption algorithms. 3.2 DVD/USB Media Delivery XeroxÃ‚Â® uploads the FreeFlowÃ‚Â® Print Server Security Patch Update to a Ã¢Â€ÂœsecureÃ¢Â€Â SFTP site that is available to the Xerox Analyst and Service once the deliverables have been tested and approved. The FreeFlowÃ‚Â® Print Server patch deliverables are available as a ZIP archive or ISO image file, and a script used to perform the install. The Security Patch Update installs by executing a script, and installs on top of a pre-installed FreeFlowÃ‚Â® Print Server software release. The install script includes options to install the Security Patch Update directly from DVD/USB media or from the FreeFlowÃ‚Â® Print Server internal hard disk. A PDF document is available with procedures to install the Security Patch Update using the DVD/USB media delivery method upon request. If the Analyst supports their customer performing the Security Patch Update, then they must provide the customer with the Security Patch Update install document and the Security update deliverables. This method of Security Patch Update install is not as convenient or simple for customer install as the network install methods offered by Update Manger. See the Security Patch Update deliverable filenames and sizes in the table below: 3.3 WindowsÃ‚Â® Update Delivery WindowsÃ‚Â® Update services enables information technology administrators to deploy the latest MicrosoftÃ‚Â® product updates to computers that are running the WindowsÃ‚Â® operating system. By using WindowsÃ‚Â® Update service, administrators can fully manage the distribution of updates released through MicrosoftÃ‚Â® Update to FreeflowÃ‚Â® Print Server platforms on their network. MicrosoftÃ‚Â® uploads the Patch Updates to a server that is available on the Internet outside of the MicrosoftÃ‚Â® Corporate network once patch deliverables have been tested and approved. Installing the Security patches directly from MicrosoftÃ‚Â® using the WindowsÃ‚Â® Update service brings some risk given they have not been tested by XeroxÃ‚Â® on the FreeFlowÃ‚Â® Print Server platform. It is required that the customer proxy server information be configured on the FreeFlowÃ‚Â® Print Server platform so that the WindowÃ‚Â®s Update service can gain access to the MicrosoftÃ‚Â® server over the Internet outside of the customer network. XeroxÃ‚Â® is not responsible for the Security of the connection to the MicrosoftÃ‚Â® patch server. We recommend manually performing a FreeFlowÃ‚Â® Print Server System Backup and a WindowsÃ‚Â® Restore Point backup just prior to checking for the WindowsÃ‚Â® patch updates and installing them. This will give assurance of FreeFlowÃ‚Â® Print Server system recovery if the installed Security patches create a software problem or results in the FreeFlowÃ‚Â® Print Server software becoming inoperable. The Security Patch Update makes changes to only the WindowsÃ‚Â® 7 OS system, and not the FreeFlowÃ‚Â® Print Server software. Therefore, the restore of a WindowsÃ‚Â® Restore Point (prior to patch install) will reverse install of the Security Patch Update if recovery is required, and is much faster than the full FreeFlowÃ‚Â® Print Server System Restore. We recommend performing a full FreeFlowÃ‚Â® Print Server System Backup for redundancy purposes in case the checkpoint restore does not work. The only option for FreeFlowÃ‚Â® Print Server system recovery may be the FreeFlowÃ‚Â® Print Server System Backup if the system should become inoperable such that WindowsÃ‚Â® is not stable. Make sure to store the FreeFlowÃ‚Â® Print Server System backup onto a remote storage location or DVD/USB media. 4.0 Disclaimer The information provided in this XeroxÃ‚Â® Product Response is provided "as is" without warranty of any kind. XeroxÃ‚Â® Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall XeroxÃ‚Â® Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this XeroxÃ‚Â® Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if XeroxÃ‚Â® Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. 2018 Xerox Corporation. All rights reserved. XeroxÃ‚Â® and Xerox and DesignÃ‚Â®, FreeFlowÃ‚Â®, iGenÃ‚Â®, BrenvaÃ‚Â® are trademarks of Xerox Corporation in the United States and/or other countries. BR21127 Other company trademarks are also acknowledged Security Patch Update File WindowsÃ‚Â® File Size (Kb) Size in Bytes FFPSv2-Win7_Standalone_SecPatchUpdate_Apr2018.zip 2,363,828 2,420,559,679 FFPSv2-Win7_Standalone_SecPatchUpdate_Apr2018.iso 2,364,178 2,420,918,272 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWvPfT4x+lLeg9Ub1AQiIzQ/+Jx6vt0ozfkVUxRcTlN+LBb3VscuFRw0q 6sNdGsYQIZoxfjYm5+tpdrIann1ZGaKsdGlipJ6RPleh0KzoAxG1frBhKetyQc2l /1VydomPwRo03O3UvxXwBs4MAWD7mLIw+xFAxrRse1nqPh8RuhxcVyvjpYaq4Gqd M2IygabemxEplMwHt80GItjcdODbYx/pVm/pjmJCu5HB38gw5ETWa170K1/Ovtjp oiJzWpJsfzY763isEMoJ9DbFCa0DvX8/0MPVqin4wZYXZzeCapf3hcRA+FvxCbMm DfsIY3wVAwqMl3Bg676gDWRLZOdqVES3uYOMRAxbrocCz7ztwdvC5uVnTD2RZxJ6 aVTORdUOkdzqoj1QzRPeRKFZYbTjw+f5+WHAQCUm0x5J6KD48+iKbn0cMDLXuMKD VnAJfCJLJ11nkzmo8MeeJZwO7tpw+dsvTk6FGssOcGISqoOa+g3DfNoS6WEx7mch EGsiw699+WZ3QAFEMU/nKw4wBY7gJXva1VzsLBPC2gtBWc7pl1MOcJ26YzI4D1zz 9tfqNGFObsNu0aYEsbjtOAl4ZgVCFeHkEjbx34cZXSvZpUF6Yh7+o/kES1dxAXHw tK623xF6TK1DGcbX7dT+72kY3uHvcPWW0IpGxqF7E9c1RZRFAGi++eioYj9WbeVU 1xPfElVunzI= =Mbz5 -----END PGP SIGNATURE-----