Products Affected by SHA-1 Certificate Expiration Available Options for Continuing Remote Services
WorkCentre 3550
Security Bulletins for Xerox Products (7)
Xerox Security Bulletin XRX18P V1.0 (PDF 165.6K)
Xerox® WorkCentre® 3550
Xerox Security Mini Bulletin XRX16AJ_V1.0 (PDF 118.2K)
Contains fix for CVE 2016-2177, CVE-2016-2183 (Sweet32) and CVE-2015-2808 (Bar Mitzvah) on WorkCentre 3550
Xerox Security Mini Bulletin XRX16C_V1.0 (PDF 115.9K)
This software contains fix for Logjam and VxWorks TCP Sequence vulnerabilities on WorkCentre 3550.
Xerox Security Mini Bulletin XRX15AJ_V1.0 (PDF 194.7K)
Includes fix for Poodle and the FREAK OpenSSL vulnerabilities.
Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)
Digital Signature of Software Upgrade Files v1.1 NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.
The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.
Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on the Xerox Security Site.
Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549 Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7 WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7
Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)
NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.
Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.
As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.
Information Assurance for Xerox Products (1)
Statements of Volatility for Xerox Products (1)
WorkCentre 3550 Statement of Volatility (PDF 225.6K)
Secure Installation and Operations Guides for Xerox Products (1)
Generic Xerox Multifunction Device Secure Installation and Operation Guide v1.0 (PDF 232.7K)
This document has been created to detail the security settings available to customers on Xerox Multifunction devices that may not have their own specific Secure Installation and Operation document.
NOTE: Not all products will support all the security features detailed in this document.