It appears that HP JetDirect firmware is more susceptible to SNMP vulnerabilities than originally referenced in the CERT Advisory CA-2002-03 (http://www.cert.org/advisories/CA-2002-03.html). Some basic testing with Protos on an internal network seems to indicate that devices with JetDirect firmware x.08.32 crash each time a single malformed SNMP packet is received. The HP Download Manager for JetDirect reports that the printer software is up-to-date. On the hardware I tested, the packet generated an "EIO" error and required the device to be powered off to recover. Control panel input was not available. The packet can be generated using the req-enc protos test with the options "-zerocase -showreply -single 13771". The protos test name is "set-req-ber-l-length" in the category of "Invalid BER length (L) fields". The TCPDump trace is: 15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161: SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv" 15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161: GetRequest(25) .1.3.6.1.2.1.1.5.0 As an interesting side note, Ethereal (a popular open source sniffer / traffic analyzer) crashes every time it sees this packet also. It gives the error "GLib-ERROR **: could not allocate -1 bytes aborting...". This testing has been very limited (only LaserJet 4si and 8150 series printers were tested), so please post your test results Bugtraq.
