-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02949847 Version: 2 HPSBPI02698 SSRT100404 rev.2 - HP Easy Printer Care Software Running on Windows, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-01-11 Last Updated: 2012-01-11 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Easy Printer Care Software Running on Windows. The vulnerability can be remotely exploited to write arbitrary files to the system and execute them via the browser. References: CVE-2011-2404 , ZDI-CAN-1092, CVE-2011-4786, ZDI-CAN-1093, CVE-2011-4787, ZDI-CAN-1117 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Easy Printer Care Software v2.5 and earlier for Windows XP and Vista. This Windows software could be used in conjunction with the following Laser Jet and Color Laser Jet printer models: Laser Jet P1005 / P1006 / P1007 / P1008 Laser Jet 1010 / 1012 / 1015 Laser Jet P1102 / P1102w Laser Jet M1120 / M1120n Laser Jet Pro M1132 / M1134 / M1136 / M1137 / M1138 / M1139 Laser Jet 1150 Laser Jet 1160 Laser Jet Pro M1212nf / M1213nf / N1214nfh / M1216nfh / M1217nfw / M1219nf Laser Jet 1300 Laser Jet 1320 Laser Jet P1505 Laser Jet 2100 Laser Jet 2200 Laser Jet 2300 / 2300L Laser Jet 2410 / 2420 / 2430 Laser Jet 3015 All-in-one Laser Jet 3020/3030 All-in-one Laser Jet 3050Z All-in-one Laser Jet 3380 All-in-one Laser Jet M3035mfp Laser Jet 4000 Laser Jet 4050 Laser Jet 4100 Laser Jet 4100mfp Laser Jet 4200 / 4240 / 4250 Laser Jet 4300 / 4350 Laser Jet M4345mfp Laser Jet 4345mfp Laser Jet 5000 Laser Jet M5035mfp Laser Jet 5100 Laser Jet 5200 / Laser Jet 5200L Laser Jet 8000 Laser Jet 8000mfp Laser Jet 8100 / 8150 Laser Jet 9000 Laser Jet 9000mfp / 9000Lmfp Laser Jet 9040 / 9050 Laser Jet 9040mfp / 9050mfp / 9055mfp / 9065mfp Color Laser Jet CP 1215 / 1217 Color Laser Jet CP 1514n / 1515n / 1518ni Color Laser Jet 2500 Color Laser Jet 2550 Color Laser Jet 2820 / 2840 All-in-one Color Laser Jet 3000* Color Laser Jet 3500 / 3550 Color Laser Jet 3600 Color Laser Jet 3700 Color Laser Jet 3800* Color Laser Jet4500 Color Laser Jet 4550 Color Laser Jet 4600 / 4610 / 4650 Color Laser Jet 4700* Color Laser Jet 4730mfp* Color Laser Jet 5500 / 5550 Color Laser Jet 8500 Color Laser Jet 8550 Color Laser Jet 9500 Color Laser Jet 9500mfp BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-2404 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-4786 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-4787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Easy Printer Care Software v2.5 and earlier for Windows XP and Vista is no longer available from HP. HP Easy Printer Care Software is no longer supported by HP. HP Recommends this software be uninstalled from the system as soon as possible. The HPTicketMgr.dll ActiveX control that is vulnerable is CLSID 466576F3-19B6-4FF1-BD48-3E0E1BFB96E9, If the Easy PRinter Care software is not uninstalled, HP recommends setting the kill bit for the vulnerable ActiveX control Class identifier (CLSID) {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9} . The kill bit is set by modifying the data value of the Compatibility Flags DWORD value for the CLSID of this ActiveX control to 0x00000400. This is explained in Microsoft's article KB240797 or subsequent. http://support.microsoft.com/kb/240797 HISTORY Version:1 (rev.1) - 8 August 2011 Initial release Version:2 (rev.2) - 11 Jan 2012 Added additional ZDI issues impacted in Easy Printer Care Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8ODhAACgkQ4B86/C0qfVm6dwCfQLt0J9NhagY3TShIE2wi8ORc N+YAoKipdhM6KpyCOvQuHtSEFXGowR5M =1Ant -----END PGP SIGNATURE-----