Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

SUPPORT COMMUNICATION- SECURITY BULLETIN HPSBPI03583 rev. 1 - ROCA - Vulnerable RSA Generation: HP Trusted Platform Module (TPM) Accessory and Certain HP Enterprise Printer and MFP Products, Certain HP PageWide Printer and MFP Products with Standard TPM

Related Vulnerabilities: CVE-2017-15361  

A potential security vulnerability known as “ROCA: Vulnerable RSA Generation” has been identified with the RSA keys generated by the HP Trusted Platform Module (TPM) Accessory and printers equipped with a TPM. This vulnerability could potentially be exploited remotely to allow remote disclosure of information.

Source
Potential Security Impact:
Remote disclosure of information

VULNERABILITY SUMMARY

A potential security vulnerability known as “ROCA: Vulnerable RSA Generation” has been identified with the RSA keys generated by the HP Trusted Platform Module (TPM) Accessory and printers equipped with a TPM. This vulnerability could potentially be exploited remotely to allow remote disclosure of information.
Reference Number
CVE-2017-15361, PSR-2018-0069
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION below for a list of potentially impacted printers.
note:
All printer versions prior to the firmware versions listed are potentially impacted.
BACKGROUND
For a PGP signed version of this security bulletin please write to: hp-security-alert@hp.com
CVSS 3.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2017-15361
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.6
Information on CVSS is documented in HP Customer Notice: HPSN­2008­002.
RESOLUTION
HP has provided a firmware update and work arounds for potentially impacted printers as reflected in the table below.
note:
The TPM firmware is only bundled with the FutureSmart 4 printer firmware.
To obtain the updated firmware, go to www.hp.com and follow these steps:
  1. Click Support/Software & Drivers.
  2. Click Printer.
  3. Enter the appropriate printer name listed in the table below into the search field.
  4. Click Submit.
  5. Click the appropriate product.
  6. Under Firmware, select the appropriate firmware update, and then click Download.
Customers with printers running FutureSmart 3 may mitigate risk for the identified vulnerability through one of the workaround methods listed below or by upgrading their device to FutureSmart 4.
  1. When generating a certificate via the printer Embedded Web Server, select Make the certificate Exportable. This will not use TPM certificate generation functions. Instructions are located in the document: Install, view, and manage certificates to ensure data security in the HP Embedded Web Server (EWS).
  2. Use HP Security Manager to generate and manage certificate requests. Instructions can be found in the HP JetAdvantage Security Manager Certificate Management (in English).
  3. Generate a new RSA certificate outside the device (e.g. via a Hardware Security Module) and import the certificate to the device. Certificates may be imported to the HP printer via the printer Embedded Web Server. Instructions to import a certificate are located in the document: Install, view, and manage certificates to ensure data security in the HP Embedded Web Server (EWS).
note:
For firmware marked with an asterisk (*), please contact HP support to obtain the firmware update. HP contact information can be found at www.hp.com under Contact HP.
Product Name
Fixed Version(s)
SoftPaq #
HP Trusted Platform Module Accessory
F5S62A
*Locate firmware for printer in chart below
HP LaserJet Enterprise M506
F2A70A, F2A71A
FS4: 2406048_029640 (or higher)*
HP LaserJet Managed M506
F2A67A
FS4: 2406048_029640 (or higher)*
HP Color LaserJet Enterprise M553
B5L26A
FS4: 2406048_029643 (or higher)*
HP Color LaserJet Managed M553 series
B5L39A
FS4: 2406048_029643 (or higher)*
HP OfficeJet Enterprise Color X555
C2S11A, C2S11V, C2S12A, C2S12V, L1H45A
FS4: 2406048_029642 (or higher)
HP PageWide Enterprise Color 556
G1W46A, G1W46V, G1W47A, G1W47V
FS4: 2406048_029637 (or higher)
HP PageWide Managed Color E55650 series
L3U44A
FS4: 2406048_029637 (or higher)
HP LaserJet Enterprise M605
E6B71A
FS4: 2406048_029639 (or higher)*
HP LaserJet Enterprise M606
E6B73A
FS4: 2406048_029639 (or higher)*
HP LaserJet Enterprise M607
K0Q14A, K0Q15A
FS4: 2406048_029638 (or higher)
HP LaserJet Enterprise M608
K0Q17A, K0Q18A, K0Q19A
FS4: 2406048_029638 (or higher)
HP LaserJet Enterprise M609
K0Q20A, K0Q21A, K0Q22A
FS4: 2406048_029638 (or higher)
HP LaserJet Managed E60055
M0P33A
FS4: 2406048_029638 (or higher)
HP LaserJet Managed E60065
M0P35A, M0P36A
FS4: 2406048_029638 (or higher)
HP LaserJet Managed E60075
M0P39A, M0P40A
FS4: 2406048_029638 (or higher)
HP Color LaserJet Managed M651 series
H0DC9A, L8Z07A
FS4: 2406048_029632 (or higher)
HP PageWide Enterprise Color 765
J7Z04A
FS4: 2406048_029619 (or higher)
HP PageWide Managed Color E75160
J7Z06A
FS4: 2406048_029619 (or higher)
HP LaserJet Enterprise M806
CZ244A, CZ245A
FS4: 2406048_029646 (or higher)
HP Color LaserJet Enterprise M855
A2W77A, A2W78A, A2W79A, D7P73A
FS4: 2406048_029626 (or higher)
HP LaserJet Enterprise MFP M527
F2A76A, F2A77A, F2A81A
FS4: 2406048_029628 (or higher)
HP LaserJet Enterprise Flow MFP M527
F2A78V
FS4: 2406048_029628 (or higher)
HP LaserJet Enterprise Managed MFP M527
F2A79A
FS4: 2406048_029628 (or higher)
HP LaserJet Enterprise Managed Flow MFP M527
F2A80A
FS4: 2406048_029628 (or higher)
HP Color LaserJet Enterprise MFP M577
B5L46A, B5L47A
FS4: 2406048_029627 (or higher)
HP Color LaserJet Enterprise Flow MFP M577
B5L48A, B5L54A
FS4: 2406048_029627 (or higher)
HP Color LaserJet Managed MFP M577 series
B5L49A
FS4: 2406048_029627 (or higher)
HP Color LaserJet Managed Flow MFP M577 series
B5L50A
FS4: 2406048_029627 (or higher)
HP OfficeJet Enterprise Color MFP X585
B5L04A, B5L05A
FS4: 2406048_029636 (or higher)
HP OfficeJet Enterprise Color Flow MFP X585
B5L06A, B5L07A
FS4: 2406048_029636 (or higher)
HP OfficeJet Managed Color MFP X585
L3U40A, L3U41A
FS4: 2406048_029636 (or higher)
HP PageWide Enterprise Color MFP 586
G1W39A, G1W39V, G1W40A, G1W40V
FS4: 2406048_029624 (or higher)
HP PageWide Enterprise Color Flow MFP 586
G1W41A, G1W41V
FS4: 2406048_029624 (or higher)
HP PageWide Managed Color MFP E58650 series
L3U42A
FS4: 2406048_029624 (or higher)
HP PageWide Managed Color MFP Flow E58650 series
L3U43A
FS4: 2406048_029624 (or higher)
HP LaserJet Enterprise MFP M630
B3G85A, J7X28A, B3G84A
FS4: 2406048_029631 (or higher)
HP LaserJet Enterprise Flow MFP M630
P7Z47A, B3G86A
FS4: 2406048_029631 (or higher)
HP LaserJet Managed MFP M630
L3U61A
FS4: 2406048_029631 (or higher)
HP LaserJet Managed Flow MFP M630
L3U62A, P7Z48A
FS4: 2406048_029631 (or higher)
HP LaserJet Enterprise MFP M631
J8J64A, J8J63A, J8J65A
FS4: 2406048_029629 (or higher)
HP LaserJet Enterprise MFP M632
J8J70A, J8J71A, J8J72A
FS4: 2406048_029629 (or higher)
HP LaserJet Enterprise MFP M633
J8J76A, J8J78A
FS4: 2406048_029629 (or higher)
HP LaserJet Managed MFP E62555dn
J8J66A
FS4: 2406048_029629 (or higher)
HP LaserJet Managed MFP E62565hs
J8J73A
FS4: 2406048_029629 (or higher)
HP LaserJet Managed Flow MFP E62565h, z
J8J74A, J8J79A
FS4: 2406048_029629 (or higher)
HP LaserJet Managed Flow MFP E62575z
J8J80A
FS4: 2406048_029629 (or higher)
HP Color LaserJet Enterprise MFP M680
CZ248A, CZ249A
FS4: 2406048_029633 (or higher)
HP Color LaserJet Enterprise Flow MFP M680
CZ250A, CZ251A
FS4: 2406048_029633 (or higher)
HP Color LaserJet Managed MFP M680
L3U47A
FS4: 2406048_029633 (or higher)
HP Color LaserJet Managed Flow MFP M680
L3U48A
FS4: 2406048_029633 (or higher)
HP PageWide Enterprise Color MFP 780
J7Z10A, J7Z09A
FS4: 2406048_029621 (or higher)
HP PageWide Enterprise Color MFP 785
J7Z11A, J7Z12A
FS4: 2406048_029621 (or higher)
HP PageWide Managed Color Flow MFP E77650
J7Z08A, J7Z14A
FS4: 2406048_029621 (or higher)
HP PageWide Managed Color Flow MFP E77660
Z5G77A, J7Z03A, J7Z07A, J7Z05A
FS4: 2406048_029621 (or higher)
HP PageWide Managed Color MFP E77650
J7Z13A, Z5G79A
FS4: 2406048_029621 (or higher)
HP LaserJet Enterprise Flow MFP M830z
CF367A, D7P68A
FS4: 2406048_029645 (or higher)
HP LaserJet Managed Flow MFP M830 series
L3U65A
FS4: 2406048_029645 (or higher)
HP Color LaserJet Enterprise Flow MFP M880
A2W76A, A2W75A, D7P71A
FS4: 2406048_029641 (or higher)
HP Color LaserJet Managed MFP M880 series
L3U51A, L3U52A
FS4: 2406048_029641 (or higher)
...
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.
Report: To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc_profile.
Security Bulletin Archive: To view released Security Bulletins, search the HP Support Site for "security bulletin".
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
PI
HP Printing and Imaging
HF
HP Hardware and Firmware
GN
HP General Software
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: hp-security-alert@hp.com
Subject: get key
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin.HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action.HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin.To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
REVISION HISTORY : Version 1: 8 June 2018 Initial release

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started