Xerox® Phaser® 7800
SPAR Release R17-04 081.150.107.11800
Phaser 7800 SPAR Release 081.150.106.28600
Contains fix for many vulnerabilities on Phaser 7800.
Xerox Security Bulletin XRX14-008
Bash Shellshock Command Line Interpreter Vulnerability
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.
A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.
NOTE: Review the bulletin for a more complete list of devices.
This post has been updated to correct a model error and clarification on methods to clear NVM.
The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.
NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch.
The software release indicated below will perform the following action:
• Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be
disabled. It can be re-enabled at the Web UI when necessary.
• Remove protocols that were not intended to be present in the production configuration.
Details about this bulletin and other Xerox Product Security features can be found at the Xerox Security Site.
The the link to this software needed to upgrade your Phaser 7800 can be found inside the bulletin document or can be downloaded from this link:
NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.
Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.
As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.