* percx@xxxxxxxxxx [2011-11-07 15:32:47 +0000]: > 2. Description: > > Passwords can be extracted in plan text from the settings export file. > http://hostname-IP_Address/cgi-bin/exportfile/printer/config/secure/settingfile.ucf > > ============================================================================ > > 4. Affected Products: > Lexmark X656de multifunction printer (Kernel=FPR.APS.F184-0, Base=LR.MN.P224a-0) > Other Lexmark and Dell branded Multifunction printers may also be vulnerable Might this not have been fixed by the following change in firmware P311e2, which was released in April 2010 and advertised as fixing various CVEs? 3) Security related UCF keys can now be imported/exported from the embedded web server. What I see on an X65x running P510 is that security-related keys are now in authfile.ucf, authentication is required in order to download that (if one has configured authentication; hopefully those who haven't done so also haven't stored any sensitive information in the device), and some passwords are deliberately not included in the file (presumably because they cannot be stored as one-way hashes). Of course that doesn't prove that all possible configurations are now safe but it is a hint that the issue may already have been taken care of. > ============================================================================ > > 5. Solution: > > Insure that a complex password is set on printer. Really? How does that help against password leakage? And why not recommend, or at least mention the possibility of, a firmware upgrade? P311e2, P413c and P510/P510b all contain security fixes, and you haven't claimed that the latest firmware was still vulnerable. It would have been interesting to check.
