Products Affected by SHA-1 Certificate Expiration Available Options for Continuing Remote Services
Security Bulletins for Xerox Products (7)
Xerox® WorkCentre® 3550
Contains fix for CVE 2016-2177, CVE-2016-2183 (Sweet32) and CVE-2015-2808 (Bar Mitzvah) on WorkCentre 3550
This software contains fix for Logjam and VxWorks TCP Sequence vulnerabilities on WorkCentre 3550.
Includes fix for Poodle and the FREAK OpenSSL vulnerabilities.
Digital Signature of Software Upgrade Files v1.1 NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.
The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.
Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on the Xerox Security Site.
Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549 Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7 WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7
NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.
Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.
As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.
Information Assurance for Xerox Products (1)
Statements of Volatility for Xerox Products (1)
Secure Installation and Operations Guides for Xerox Products (1)
This document has been created to detail the security settings available to customers on Xerox Multifunction devices that may not have their own specific Secure Installation and Operation document.
NOTE: Not all products will support all the security features detailed in this document.