Xerox Security Bulletin XRX14-008 V1.0 (PDF 1M)

Xerox Security Bulletin XRX14-008 Bash Shellshock Command Line Interpreter Vulnerability v1.0 11/10/2014

Background A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.

NOTE: Review the bulletin for a more complete list of devices.

Xerox Security Bulletin XRX12-012 v1.0 (PDF 71.6K)

The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.

NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch. The software release indicated below will perform the following action: • Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be disabled. It can be re-enabled at the Web UI when necessary. • Remove protocols that were not intended to be present in the production configuration.

Details about this bulletin and other Xerox Product Security features can be found at the Xerox Security Site.

The the link to this software needed to upgrade your Phaser 7800 can be found inside the bulletin document or can be downloaded from this link: http://www.support.xerox.com/go/getfile.asp?objid=122181&EULA=28&Xtype=download&uType=

Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)

NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.

Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.

As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.