Various PostScript Vulnerabilities Disclosed

Name
Various PostScript Vulnerabilities Disclosed
Tracking Number
2017-002
First Publish Date
06-Feb-17
Date of Current Status
22-Feb-17
Next Planned Update
N/A
Description
Recently researchers in Germany published a paper describing a number of vulnerabilities in the PostScript printer language used by many printers and multifunction devices from various manufacturers. Some of the vulnerabilities can lead to loss of printer function while others may release sensitive information. Recent attacks using these vulnerabilities were reported over the weekend.
What You Need To Know?
PostScript is a programming language used by printers and multifunction devices to print documents. PostScript files are usually generated by printer drivers during the process of printing. However, by carefully crafting a PostScript file by hand, attackers can use features of the PostScript language to render the printer unusable or possibly grab sensitive information.
What is Xerox Doing About This?
Xerox has a wide range of products that use PostScript. Xerox has spent considerable effort in the past to mitigate as many of these vulnerabilities as possible without affecting how PostScript functions. We have performed an evaluation of our portfolio and confirmed these mitigations were applied.
Impact
The vulnerabilities that render the device unusable are the most likely to be used by attackers.
What Should You Do?
Xerox recommends the following to minimize the possibility your device could become a target of these attacks:
  • Don’t connect your Xerox device directly to the public Internet. Make sure it’s behind a firewall or router so that only you and your users have access to it. This keeps outsiders from accessing the machine and interrupting your business. Please check with your IT department if you’re unsure.
  • Don’t leave the administrator’s password set to the default. Change it so that unauthorized individuals can’t guess easily guess it and take control.
  • Choose a password that is at least 8 (eight) characters in length with a combination of letters, numbers and special characters.
  • Never share the administrator’s password with anyone who does not have a legitimate need to know.
  • Enable SSL/TLS and validate any certificates used with the device. Information on this can be found in the appropriate Secure Installation and Operation document for your device. Use the Xerox Security Information, Bulletins and Advisory Responses section below to find those guides and to access other security-related information, including important bulletins regarding software updates.