Reece Dodds asked:
I’m unsure if this should be asked here or over on security.stackexchange.com…
Over the Easter long weekend, a small office of ours had a network breach in that an old HP printer was used to print some very offensive antisemitic documents. It appears to have happened to a number of universities in Western cultures all over the world.
Anyway… I read that it’s actually a pretty basic security exploit with most networked printers. Something to do with TCP port 9100 and access to the internet. I haven’t been able to find much info on the specifics of how because everyone seems too concerned with the why.
The network setup is pretty simple for the office that was affected. It has 4 PC’s, 2 networked printers, an 8-port switch and a residential modem/router running an ADSL2+ connection (with static internet IP and a pretty vanilla configuration).
Is the point of weakness in the modem/router or the printer?
I’ve never really considered a printer as a security risk that needs to be configured, so in an effort to protect this office’s network, I’d like to understand how the printers were exploited. How can I stop or block the exploit? And check or test for the exploit (or correct block of the exploit) in our other much larger offices?
This attack disproportionately affected universities because, for historical reasons, many universities use public IPv4 addresses for most or all of their network, and for academic reasons have little or no ingress (or egress!) filtering. Thus, many individual devices on a university network can be reached directly from anywhere on the Internet.
In your specific case, a small office with an ADSL connection and home/SOHO router and static IP address, it’s most likely that someone at the office explicitly forwarded TCP port 9100 from the Internet to the printer. (By default, because NAT is in use, incoming traffic has nowhere to go unless some provision is made to direct it somewhere.) To remediate this, you simply remove the port forwarding rule.
In larger offices with proper ingress firewalling, you generally won’t have any allow rules for this port at the border, except perhaps for VPN connections if you need people to be able to print over your VPN.
To secure the printer/print server itself, use its built in allow list/access control list to specify the range(s) of IP addresses allowed to print to the printer, and deny all other IP addresses. (The linked document also contains other recommendations for securing your printers/print servers, which you should also evaluate.)
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.