Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)

Digital Signature of Software Upgrade Files
v1.1
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.

The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.

Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on the Xerox Security Site.

Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549
Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7
WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7

Generic Xerox Multifunction Device Secure Installation and Operation Guide v1.0 (PDF 232.7K)

This document has been created to detail the security settings available to customers on Xerox Multifunction devices that may not have their own specific Secure Installation and Operation document.

NOTE: Not all products will support all the security features detailed in this document.

Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)

NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.

Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.

As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.